It’s been a few months since I last had time to write an SFOS update article. In the future it will be better again. That’s why I’m even more excited to present the new features and improvements in SFOS 19.5.
The update is for all Sophos firewalls in the SG, XG and XGS series and also the virtual appliances or instances on cloud platforms such as Azure or AWS.
The following models will not receive the update because they do not have 4 GB RAM: XG 85(w), XG 105(w), SG 105(w)
Vulnerability CVE-2022-3236 is closed
A code injection vulnerability in the user portal and WebAdmin allows an attacker to execute code in Sophos Firewall, version v19.0 MR1 and older. CVE-2022-3236
Hosts and Services Search
In SFOS v19, the object search in the firewall rules has been massively improved. In some places, however, the search function was still missing, as with the Hosts and Services objects. Here it is possible to search by name, port or IP address, which also simplifies finding duplicate objects.
Deleting duplicate objects then, if they are still used, is still not that easy, because you don’t get a hint where this object is used.
Sophos introduced the new feature in a bit more detail in a 2min video.
Azure AD SSO for Webadmin login
Azure AD has been available on Sophos Central for some time. With v19.5, Azure Active Directory (Azure AD) integration is now coming to Sophos Firewall for Single Sign-on (SSO) on the Webadmin console.
The Azure AD integration also enables dynamic role and group access management. This means that you can create your own rights profiles on the firewall or use the existing ones and then assign them to a user on Azure AD.
Sophos Firewall v19.5 Azure AD integration for web admin login
The Azure AD integration for the Webadmin login is certainly a great start. It will be exciting when remote access users (SSLVPN or IPsec) and the user portal also work with it.
High Availability Improvements
There is also a really good improvement for HA clusters. A small renewal is e.g. the hint when creating the cluster that the license must be present on the primary device or for an Active-Active Cluster, which we actually only almost never use, the license must be present on both appliances.
It is now possible that you can configure multiple HA links and only via a direct connection, but also via LAGs and VLANs.
VLAN interfaces can now also be added during interface monitoring.
The status page now provides much more important information. It is visible on which node the license is activated. The date and time when the last status change of the cluster was. You can assign a name and no longer have to remember the serial number.
The widget in the Control Center has moved to the top right and also shows more information about the cluster. The tab name now also shows which node you are connecting to, although I would rather have the firewall hostname here, since I never log on to Node2 anyway.
Here, too, there is a video in which these improvements are shown.
SD-WAN Load Balancing
SD-WAN has been available since v19 and it is possible to create load balancing in the profiles in the new version. Round Robin or Session Persistence are available as methods.
The connections are distributed to the selected connections based on the weighting. In the screenshot, both gateways currently have a weighting of 1, which means that the connections are distributed evenly to both gateways.
With Session Persistence, you can define whether traffic should be split by source IP, destination IP, both simultaneously, or by connection.
This renewal applies to the SD-WAN profile. Of course, you can create multiple profiles and use them according to the requirement of the routing strategy based on the application, source, destination or service.
More performance for all Sophos XGS firewalls
Each Sophos XGS appliance has a dual-processor architecture. Sophos accelerated some connections by double compared to the XG series when the XGS series was launched. It was announced that with upcoming software updates, processes will be offloaded from the CPU to the NPU to improve performance. With version 19.5, more processes will be handled by the Xstream Flow processor and thus accelerated. Thanks to this development, the number of IPsec VPN tunnels has simply been doubled for the XGS models in this release.
On the XGS 4300, 4500, 5500 and 6500 models, TLS-encrypted connections are accelerated on the FastPath, making deep packet inspection even more performant.
Other minor improvements in v19.5
The new dynamic routing engine provides support for OSPFv3. OSPFv3’s innovations include support for IPv6, smaller header size, and no longer uses MD5 for authentication. OSPFv3 completely eliminates its own support for authentication and instead relies on the more flexible IPsec framework of IPv6.
Improved log file storage enables detailed troubleshooting.
Improved support for 40G interfaces with automatic detection of extended port configurations on XGS 5500 and 6500 models.
The hardware support for the 5G modules, which was listed in the EAP, is now no longer included in the final version v19.5. I guess the modules are coming a bit later than expected.
Sophos Firewall OS v19.5 Enhancements video
As you can see, Sophos is now putting a lot of effort into showing the new features in videos, which we think is very cool. Often there were new features that were lost in the release notes and only a few people noticed. In addition to the feature videos above, there is also a video about Sophos Firewall 19.5 as a whole.
Updates are no longer free for long
Maybe the info didn’t reach everyone: Sophos Firewall updates no longer free of charge
So now we would have the first update since version 19.0 MR1 and the counter for the free updates starts at three. After the installation, more precisely when uploading the new firmware image 19.5, it is then at two.
If you now look at the innovations in this update, which is admittedly a major update, but you can already see that here are many new features that make the Sophos Firewall again a bit better. This development has to be paid for, and as you know from smartphone apps, many developers are switching to the subscription model to get paid for this very development.
Therefore, if the firmware counter is then at zero, you need an Enhanced Support license, which is included individually or in a license bundle such as Standard Protection, Xstream Protection or Epic Protection.