Sophos Firewall v20 - Best features in the new SFOS release
The major versions are by far the most exciting releases of the year, and with Sophos Firewall v20, or more precisely SFOS v20, Sophos is bringing some genuinely great new features. At the moment this is EAP1, an Early Access version. If Sophos sticks to its usual schedule, the final version is not expected until the end of the year or early 2024.
Web Admin optimized for 1920p
In Sophos’ feature list, this improvement appears right at the bottom among the less important changes included in the new version: support for high-resolution screens. Statista’s figures show that 1920p monitors have been more than common since 2018, so this feature is long overdue. I am genuinely celebrating this feature. π₯³ It was extremely annoying that so much white space remained unused while text was still being cut off.
However, not everything is optimized for 1920p yet, and the GUI still needs some polish in many places, for example in the dashboard. This is expected to follow with v20.5.
If you look at the difference from SFOS v19.5 to SFOS v20, you finally get more space.
The credit here does not really go to Sophos, however, but to several large Sophos partners who encouraged the vendor to implement this. So many thanks are due at this point.
VPN Improvements
Sophos Firewall v20 brings several updates in the area of VPN. Let’s start with probably the biggest change.
VPN Portal
With the update to SFOS v20, the VPN functions are moved from the User Portal to the new VPN Portal. In future, users will therefore have two portals, assuming the User Portal is still used frequently at all. More on that at the end.
The new VPN Portal in SFOS v20 centralizes VPN-specific functions that were previously in the User Portal.
- Download Sophos Connect Client for Windows and macOS
- Download configuration for Remote SSL VPN and IPsec
- Access to Clientless Bookmarks
Containerization minimizes access to core SFOS components, making use over WAN more secure. Functions related to authentication methods or MFA remain the same as in the User Portal.
Migration to SFOS 20.0 automatically transfers existing User Portal configurations to the VPN Portal, which makes the transition easier. There is now a new port for the User Portal, while the VPN Portal runs on the previous port.
What changes for the portals after the update to SFOS v20?
| VPN Portal | User Portal |
|---|---|
| Default port: 443 This means existing Remote Access VPN implementations continue to run smoothly. | Default port: 4443 |
| Port can be shared with the following services: - WAF - SSL VPN | Port cannot be used for any other service. |
| Download: - Sophos Connect Client - IPsec and SSL VPN config - iOS VPN config Guest users have no access to the VPN portal. | VPN Client and Configs are now in the VPN Portal. |
| - Auto-Provisioning for Sophos Connect Client - VPN configuration retrieval via VPN portal - With standard port 443, existing deployments remain unchanged | Moved to VPN Portal |
| Clientless access to bookmarks | Moved to VPN Portal |
| - | - Other client downloads - Internet usage - Email quarantine and exceptions - Policy overrides - Wireless Hotspots |
More information on the topic can be found in the Sophos KB: New VPN portal in SFOS 20.0 and later
You can now clearly see which functions remain in the User Portal. Looking at the user base for these functions shows that only a very small number of our customers used them, which means the User Portal will be used less often from now on.
IPsec VPN Stateful HA Failover
Sophos Firewall v20 introduces Stateful High Availability (HA) failover for IPsec VPN connections. This new feature allows existing IPsec VPN connections to be transferred seamlessly to the standby node during a failover without interrupting the sessions. It is important to clarify which VPN connections benefit from this improvement and which do not.
The improvement affects the following VPN connections:
- IPsec Site-to-Site VPNs (Route Based and Policy Based)
- IPsec Remote-Access VPNs
This means that both Remote-Access VPNs and Site-to-Site VPNs can be continued in the event of a failover without having to re-establish the connection.
In the context of IPsec VPNs, this function is particularly useful because it speeds up connection recovery in the event of a failover and therefore increases network resilience. Connection recovery in particular repeatedly caused problems, and after a failover VPN connections had to be restored manually or automatically with a certain delay. This could lead to interruptions in network services, which in turn affected business processes. Now, at most, a few pings are lost, but the connection stays up.
With the improved Stateful HA failover in Sophos Firewall v20, even large organizations that depend on high availability can benefit from increased stability and smooth operation. The new command-line options for managing the settings also provide the flexibility and control needed when working with VPN connections.
Other VPN connections such as SSL VPN and Sophos RED connections are not affected by this specific failover improvement, but experience has shown that they also work better when establishing a connection.
FQDN Host Support for SSL VPN
SFOS v20 adds support for Fully Qualified Domain Names (FQDN) within SSL VPN functionality. With this new feature, SSL VPN connections can now be configured based on domain names instead of only IP addresses. This is particularly helpful in dynamic network environments where endpoint IP addresses can change, because network address changes no longer have to be updated manually in the VPN configuration.
FQDN support also facilitates integration with DNS services, which simplifies the resolution of network names and can improve the overall performance of SSL VPN connections.
Furthermore, FQDN support enables more precise creation of security policies based on domain names, allowing more targeted control of network access.
SNMP β Monitor IPsec VPN Tunnel Status
Sophos Firewall SFOS v20 adds the ability to monitor the status of IPsec VPN tunnels via the Simple Network Management Protocol (SNMP). This has also been on our wish list for some time and now simplifies monitoring for additional services.
The core component of this function is the Management Information Base (MIB) file provided by Sophos Firewall. The MIB file is imported into the SNMP tool and provides access to a variety of data points with important information about the status, performance, and possible errors of the IPsec VPN tunnels. This enables administrators to monitor and analyze tunnel activity in detail.
Azure AD β Captive Portal SSO & Group Import
Sophos Firewall v20 brings expanded integrations with Azure Active Directory (Azure AD) through two new features: Azure AD SSO for Captive Portal and Azure Group Import and RBAC.
The Azure AD SSO for Captive Portal feature allows users to authenticate to the Captive Portal using their Azure AD credentials. This simplifies the authentication process by allowing users to use their existing Azure AD credentials.
The second update, Azure Group Import and RBAC, adds a new import wizard for Azure AD groups and enables automatic promotion for role-based admin changes. With this function, administrators can easily import Azure AD groups into Sophos Firewall and use them for role-based access control (RBAC). The automatic promotion function simplifies the management of user roles and permissions by automatically promoting changes in role-based admin assignments.
The expansion of Azure AD is a step forward, but unfortunately, we still have to wait for the use of Azure AD login for the VPN Portal, Remote IPsec VPN, or SSL VPN. So we are hoping for updates. π©
To set up Azure AD on the firewall itself, these links help:
- Set up an Azure Application
- Sophos Firewall v21.5: Entra ID SSO Integration for Sophos Connect Client
Enable / Disable Interfaces
A long-awaited function for administrators has been integrated: enabling and disabling interfaces. This useful function was already available in the previous Sophos UTM operating system, and SFOS v20 now fulfills administrators’ wish to bring this functionality back.
Previously, an interface could only be completely deactivated, which resulted in the loss of the entire configuration.
If an interface is now disabled in the settings, the entire configuration remains intact and the interface can be reactivated easily if required.
When disabled, the interface row is grayed out, and in the Control Center, the status is displayed as “Turned off”. This improvement significantly simplifies firewall management and saves administrators valuable time in configuring and managing network interfaces.
There are some exceptions where interfaces cannot be enabled or disabled. For example, alias or tunnel interfaces, or interfaces that are individual members of a LAG (Link Aggregation Group) or bridge, cannot be disabled. However, the entire LAG or bridge interface can be disabled.
| Interface Type | Enable/Disable Supported |
|---|---|
| Physical | Yes |
| VLAN | Yes |
| LAG (Group) | Yes |
| LAG individual member | No |
| Bridge | Yes |
| Bridge individual member | No |
| Alias | Planned |
| Wireless LAN | Yes |
| Tunnel Interface (XFRM) | No |
| Wi-Fi | Yes |
| RED | Yes |
*Sophos Firewall v20 (SFOS v20) β Interface Enable/Disable Support
Object Referencing
The new “Object Referencing” feature in Sophos Firewall version 20 addresses a long-standing challenge in managing network objects. In previous versions up to 19.5, identifying where a specific object was used within the configuration before it could be deleted was a tedious task. This could lead to delays and potential errors, especially in large network environments with many rules and policies.
In version 20, this weakness has been addressed. For objects under the “Hosts and services” menu item, all objects are organized in tabs, and with SFOS v20, Sophos Firewall shows exactly where an object is being used, whether in a firewall rule, NAT rule, VPN configuration, or as a service in a group. This makes it easier to identify dependencies and helps administrators make the necessary changes before deleting an object.
Another powerful feature is the direct link to the rules where the object is used. With a single click, the administrator can now navigate directly to the relevant rule and make the necessary adjustments without spending time searching for it manually. This improves efficiency, reduces the risk of errors, and saves valuable time that would otherwise be spent managing and reviewing the configuration. Object Referencing in Sophos Firewall v20 is therefore an important step toward simplifying management and avoiding configuration errors, making the daily work of network administrators much easier.
The references are updated once a day, but the update can also be triggered manually.
Sophos calls this “Quality of Life Enhancements”. In reality, it is more like finally addressing long-awaited customer requests.
IPv6 Dynamic Routing (BGP)
Sophos Firewall v20 expands support for dynamic routing with IPv6 in the Border Gateway Protocol (BGP). This extension is an important upgrade because BGP is a central routing protocol on the global internet. Unlike other routing protocols, BGP in SFOS does not require separate processes or services for IPv4 and IPv6, but offers a standardized service that simplifies configuration and management. The user interface has been expanded so that both IPv4 and IPv6 can be configured on the same page, with separate sections available for IPv4 and IPv6 routing information.
IPv6 DHCP Prefix Delegation
With the introduction of DHCP Prefix Delegation in Sophos Firewall SFOS v20, IPv6 address management is automated. This function allows IPv6 address prefixes to be obtained from the provider and forwarded to the LAN network. When an IPv6 address is received on the WAN interface, it can now be used in the LAN network. Through a DHCPv6 Prefix Delegation request to the ISP, the firewall receives an IPv6 address range, which is then passed on to the network devices. These receive their globally routable IPv6 addresses through Router Advertisement (RA) messages.
DHCP Prefix Delegation significantly simplifies IPv6 address management and enables seamless adaptation to changes in the ISP prefix by automatically distributing new prefixes to all connected clients. This improves network efficiency and security, reduces the complexity of manual address management, and supports more efficient use of IPv6 addresses in the network. This allows certain services in the network to be offered using the IPv6 addresses received from the provider.
The following video explains DHCP Prefix Delegation again.
Active Threat Response
The following improvements enable seamless communication between security analysts and Sophos Firewall for a proactive response to identified threats.
Synchronized Security for MDR & XDR
With Extended Detection and Response (XDR), Sophos Firewall v20 represents a significant advancement in automated threat defense. This function establishes a direct information link between security analysts and the firewall, enabling a fast and automated response to active threats.
Threat data can now be seamlessly shared with the firewall without having to manually create firewall rules. This automated information exchange allows the firewall to proactively respond to identified threats and take appropriate defensive measures.
Advantages:
- Reduced manual administrative effort
- Increased response speed to threats
- Improved overall network security posture
- Automated threat response
- Reduced time spent by the security team on manual configuration and adjustment of firewall rules
Sophos Firewall v20 extends Synchronized Security to include Managed Detection and Response (MDR) and Extended Detection and Response (XDR). This extension allows security analysts to share active threat data directly with the firewall. One highlight is that the firewall can automatically respond to active threats without separate firewall rules having to be created. This development provides significant added value because it substantially reduces response time and enables proactive protection.
Dynamic Threat Feeds
The introduction of Dynamic Threat Feeds brings a new Threat Feed API Framework, which will also be extensible. This function facilitates the exchange of threat data between the Sophos X-Ops team and other Sophos products such as MDR and XDR, and is intended to integrate third-party threat feeds in the future. This increased flexibility greatly expands the firewall’s threat intelligence capabilities, enabling improved threat detection and response.
Synchronized Security
Synchronized Security will be further optimized to enable an even more efficient response to threats identified by MDR/XDR.
A red health status on an endpoint or server typically indicates problems such as active or running malware, malicious network traffic, communication with known malicious hosts, unremoved malware, or a Sophos Endpoint not functioning correctly. In such cases, measures are required to address the security risks.
The automated response (Lateral Movement Protection) for a red health status is now extended to threats to ensure that affected hosts, in the event of a compromise, cannot move laterally within the network or communicate externally, while important details such as host, user, and process remain easy to access for follow-up.
The scalability of Synchronized Security has also been optimized to facilitate management in large network environments. False positives due to missing heartbeats on devices in standby or hibernation have been reduced.
New WAF Features
Geo IP Control (Block countries / regions)
Sophos Firewall has a Geoip ip2country DB, which is updated through pattern updates. This could already be used in firewall and NAT rules or Local Service ACL Exception Rules. After the update to SFOS v20, the Web Application Firewall (WAF) can block access to servers based on geographic location (IP addresses). Users can now block specific countries, regions, or continents, or allow access only from certain regions. This function increases security by preventing access from potentially malicious regions while also providing an additional layer of access control.
Cipher Configuration
Custom cipher configuration and TLS version settings now allow stronger encryption (more secure ciphers) to be used and weaker ones to be excluded. This enables better control over the security of data transmission between users and the applications protected by the WAF.
HSTS and X-Content-Type-Options
Improved security through HSTS and X-Content-Type-Options: the implementation of HTTP Strict Transport Security (HSTS) enforces the use of HTTPS, which improves the security of client browsers. The X-Content-Type-Options setting helps disable MIME type sniffing, providing additional protection against certain types of attacks.
Third-party SD-WAN Integration
Suppose a company has multiple locations with their own networks that need to be connected so data and resources can be shared efficiently. Instead of the traditional but costly and less flexible MPLS solution, SD-WAN (Software-Defined Wide Area Network) offers a more agile and cost-effective alternative.
By integrating third-party SD-WAN into Sophos Firewall v20, traffic can be transferred seamlessly to the powerful backbone networks of Cloudflare, Akamai, or Azure. For example, a company that needs a faster and more secure connection between its locations can route traffic over the Azure backbone network to benefit from its global reach and robust security services. This improves performance, security, and reliability while also reducing network complexity and costs.
Onramping to backbone networks from providers such as Cloudflare, Akamai, or Azure creates a bridge between the local network and the extensive network infrastructures of these providers. The integration of third-party SD-WAN solutions into Sophos Firewall v20 simplifies this process.
ZTNA Gateway
This feature is not new per se, as it was already integrated into the firewall with SFOS 19.5 MR3, yet Sophos lists it again among the new features in SFOS v20.
The article on this topic can be found here: Sophos ZTNA Gateway on Sophos Firewall
