Skip to content
Avanet
Sophos Firewall v20 MR1: New Features and Improvements

Sophos Firewall v20 MR1: New Features and Improvements

Sophos Firewall v20 MR1 brings a wide range of new features and improvements that further enhance firewall security and performance. Here are the most important changes in detail:

⚠️ Important for all RED 15 and RED 50 users who have not yet upgraded to SD-RED 20 or SD-RED 60. The message stating that the REDs are End of Life has been displayed on the firewall for some time. After this update, the old RED models remain visible in WebAdmin, but no longer connect to the firewall.

Automatic language detection at login

Right after booting with the new Sophos Firewall v20 MR1 firmware, you see the first change. Whether that is good or bad is something everyone can decide for themselves; personally, I lean toward the latter.

The language for the admin portal is automatically detected based on the browser settings. This is then also stored as a cookie.

Sophos Firewall v20 MR1 Admin Login Page
Sophos Firewall v20 MR1 Admin Login Page

Improved Firewall Security and Access Control

With the new version, you get even more granular control over which services are accessible from the WAN. This significantly improves the security posture of your firewall. What is not visible cannot be attacked.

New configuration options have been added for IPsec VPN and RED:

Sophos Firewall v20 MR1 Local service ACL
Sophos Firewall v20 MR1 Local service ACL

New services in the Local ACL exception list

However, a zone can still expose a large attack surface, so it is advisable to define access even more precisely in the “Local service ACL exception rule”.

The following services have been added to the exception list: AD SSO, Captive Portal, RADIUS SSO, Client Authentication, Wireless, SMTP, RED, IPsec, and last but not least Chromebook, although I have never seen a Chromebook anywhere except on YouTube 🤷‍♂️.

Sophos Firewall v20 MR1 Local service ACL exception rules
Sophos Firewall v20 MR1 Local service ACL exception rules

More flexible access control exceptions

With Sophos Firewall v20 MR1, access control exceptions become significantly more flexible and are expanded with three important object types.

  • Support for FQDN hosts: You can now use fully qualified domain names (FQDNs) in exception rules. This enables more precise traffic control by allowing access to specific domains based on their names instead of only IP addresses. I have been looking forward to this feature (which was available on UTM 🤐) for a long time.
  • Host groups: The ability to define and use host groups provides greater flexibility when managing access rules. You can combine multiple hosts into a group and then use that group in your exception rules.
  • MAC addresses: In addition to IP addresses, MAC addresses can now also be included in access control exceptions. This provides an additional layer of control, which is particularly useful in networks with many dynamic or changing IP addresses.

Zero-Touch Deployment

Zero-Touch Deployment is an advanced feature in Sophos Firewall v20 MR1.

In many cases, we at Avanet replace existing firewalls one-to-one with new devices, and it is important that this happens quickly and with minimal disruption. Usually, we preconfigure the device in our office and then send it to the customer, where it only needs to be swapped in.

In the past, Zero-Touch Deployment required a USB stick to transfer the configuration file to the firewall. With the new version, this is no longer necessary because the entire configuration can be handled via Sophos Central.

Here are the steps and improvements in detail:

  1. Enter serial number: The serial number of the new firewall is entered in Sophos Central. This is used to identify and initialize the firewall.
  2. Define the basic configuration: A basic configuration is defined and applied the first time the firewall starts. This includes important settings such as the time zone, firewall hostname, and network configuration for LAN and WAN.
  3. Establish an internet connection: The firewall is simply connected to the network on site. It then automatically connects to Sophos Central and downloads the predefined configuration.
  4. Activate Firewall Management: After connecting to Sophos Central, the firewall is automatically configured and ready for use. Administrators can then make further settings and fine-tune the device directly via Sophos Central.

This method significantly reduces the time and complexity of the installation. The firewall can also be used immediately once it is connected to the internet, which speeds up the entire process.

Advantages of Zero-Touch Deployment

  • Fast deployment: Ideal for sites where no IT staff are present. The firewall can be configured and made ready for use immediately after being connected to the network.
  • Centralized management: All configuration steps are performed via Sophos Central, enabling uniform and consistent management.
  • Minimal disruption: Because the configuration is defined in advance and applied automatically, downtime is minimal, which is particularly beneficial in business-critical environments.
  • Easy customization: After the initial configuration, further adjustments and settings can be made centrally without a technician having to be on site.

With Zero-Touch Deployment, Sophos offers an efficient solution for deploying and configuring firewalls that saves time and maximizes network availability.

Download log files for troubleshooting

With Sophos Firewall v20 MR1, it is now possible to download individual log files directly from the firewall. This feature simplifies troubleshooting because you no longer need to access the firewall via SSH to obtain the necessary data.

Under the main menu item Diagnostics, you will find the option Troubleshooting Logs. Here, administrators can search for specific logs and select multiple logs at the same time. Sophos Firewall then provides a ZIP file for download containing all selected logs. These files can be opened and analyzed on a local client.

Sophos Firewall v20 MR1 - Download logs
Sophos Firewall v20 MR1 - Download logs

Each Site-to-Site IPsec connection and each individual RED connection gets its own log. This enables detailed, targeted analysis without having to rely on cumbersome methods. As a result, firewall management and maintenance become more efficient and user-friendly.

Sophos Firewall v20 MR1 - Logs for IPsec S2S or any RED
Sophos Firewall v20 MR1 - Logs for IPsec S2S or any RED

Description fields for objects

All objects under “Host & Services” now receive a description field. This includes IP hosts, IP host groups, MAC addresses, and other network objects. The ability to add a detailed description to each object significantly improves documentation.

This feature allows important information to be stored directly in the firewall. For example, when creating a new IP host, you can immediately add a description explaining the purpose and use of the host. This is particularly useful when multiple administrators manage the firewall or when precise documentation is required.

Sophos Firewall v20 MR1 Object Description
Sophos Firewall v20 MR1 Object Description

A description could also contain links to further information, such as a knowledge base article or a PDF document with specific details about the object in question. This improves traceability and makes future administrative tasks easier. For example, a service port used only for a specific application can be enriched directly with relevant information and context, significantly increasing efficiency and clarity in network management.

The description is also indexed so it can be searched.

Generative AI Firewall Assistant

Today, a company apparently is no longer cool unless it mentions AI. A few years ago it was blockchain.

A new generative AI-powered Sophos Assistant is integrated to help you manage your firewall. You can ask the assistant any question in plain language and receive instructions and links to helpful resources.

Sophos Firewall v20 MR1 - Assistant with a bit of AI
Sophos Firewall v20 MR1 - Assistant with a bit of AI

Not bad for a first version, but I think we imagine AI as something more than just a slightly better search?

OpenVPN Upgrade to v2.6.0

The OpenVPN component of Sophos Firewall has been updated to version 2.6.0. This improves security and performance for SSL VPN. Site-to-Site SSL VPNs with older versions are no longer supported. It is recommended to update to v20.0 MR1 or use alternative VPN solutions such as IPsec.

In addition, the latest version of the Sophos Connect Client (v2.3) can be downloaded via the VPN portal:

Important notes on SSL VPN compatibility

Due to the upgrade to OpenVPN 2.6.0 in this version, SSL VPN tunnels can no longer be established with the following clients and firewall versions:

  • SFOS v18.5 and earlier versions: Site-to-Site SSL VPNs can no longer be established. It is recommended to update all relevant firewalls to v20.0 MR1 or use Site-to-Site IPsec or RED tunnels.
  • Legacy SSL VPN Client: Remote Access SSL VPN tunnels can no longer be established with the legacy SSL VPN Client. Use the Sophos Connect Client or third-party clients such as the OpenVPN Client.
  • UTM9 OS: Site-to-Site SSL VPNs can no longer be established between UTM9 OS and SFOS v20.0 MR1. It is recommended to migrate these devices to v20.0 MR1 or use Site-to-Site IPsec or RED tunnels.

Improvements in SD-WAN and VPN

The new version of Sophos Firewall v20 MR1 brings important improvements in SD-WAN and VPN that significantly increase both reliability and performance.

  • Minimal traffic interruptions: Gateway availability during HA failover and device restarts has been improved fourfold. This means that if a gateway fails or a device restarts, traffic interruptions are significantly reduced, resulting in a more stable network connection.
  • New OpenVPN 3.0 Client: The new OpenVPN 3.0 Client for Remote Access SSL VPN is now available for download via the VPN portal. This client offers improved security features and better compatibility with various operating systems, simplifying VPN setup and management and improving the user experience.
  • IPsec Phase-1 IKEv2 support: Support for GCM and Suite-B ciphers has been added, improving interoperability and throughput for IPsec connections. These modern encryption methods ensure more secure and efficient data transmission between network devices.
  • DHCP Busybox improvements: The default lease time for DHCP has been set to 30 seconds to eliminate WAN connection issues. Shorter lease times mean that IP addresses are assigned and renewed more quickly, resulting in a more stable and reliable network connection, especially in environments with frequently changing connections.

Install Sophos Firewall v20 MR1

To install the latest firmware version, an Enhanced Support license is required unless the firewall has just been purchased and still has an evaluation license: Sophos Firewall updates no longer free in the future

This guide describes how to install the latest version on your firewall and download the image: Updating firmware on Sophos Firewall

More information about the release can be found in the Sophos Community - Sophos Firewall OS v20 MR1 is Now Available

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.