Shopping Cart

No products in the cart.

Sophos Firewall v21.5: New functions for security and user-friendliness

Sophos Firewall v21.5 is here, bringing a wealth of new features and enhancements to strengthen your network security and simplify management. In this blog post, we’ll outline the key new features of SFOS v21.5, including the long-awaited Entra ID Single Sign-On (SSO) integration and the powerful NDR Essentials for advanced threat detection. We also cover improvements in VPN scalability, DNS protection, the user interface and more. Let’s dive into what’s new in Sophos Firewall v21.5.

Sophos NDR Essentials: Advanced threat detection

Network Detection and Response (NDR) is a key component of modern cyber security to detect and respond to threats by monitoring network traffic. With SFOS v21.5, Sophos introduces NDR Essentials, a cloud-based NDR solution that is integrated directly into the firewall.

NDR Essentials uses artificial intelligence to analyze metadata from TLS-encrypted traffic and DNS queries to detect malicious activity without having to decrypt the traffic. This preserves firewall performance and respects user privacy. The solution is free for customers with the Xstream Protection bundle and requires no additional hardware.

Important advantages of NDR Essentials:

  • Detection of complex threats: Identifies sophisticated attacks, including those that use encrypted channels or dynamic domains.
  • Cloud-based solution: No impact on firewall performance as the analysis takes place in the Sophos Firewall Intellix Cloud.
  • Simple integration: Activation via the firewall’s Active Threat Response menu.

How does it work?
NDR Essentials analyzes encrypted traffic and DNS queries using two AI engines: Encrypted Payload Analysis (EPA) and Domain Generation Algorithm (DGA) detection. Detections are rated on a scale from 1 (low risk) to 10 (high risk). Administrators can set a threshold above which notifications and alarms are triggered. All detections are logged and can be viewed in detailed reports both on the firewall and in Sophos Central.

Setup:
To activate NDR Essentials, navigate in Sophos Firewall v21.5 to Active Threat Response, select the NDR Essentials tab and activate the function. Select the interfaces to be monitored (e.g. those with high internet traffic) and set the minimum threat score (recommendation: 9-10 for high risk).

Sophos Firewall v21.5 - NDR Essentials settings
Sophos Firewall v21.5 – NDR Essentials Einstellungen

License requirements:
NDR Essentials requires an active Xstream Protection bundle license. A 30-day trial version is available for non-customers. Currently the feature is only supported on XGS hardware, not on virtual or cloud devices. HA Active-Active mode is also not supported.

Why is this important?
NDR Essentials focuses on gateway traffic and offers a “lite” version compared to the full Sophos NDR, which also monitors internal network traffic. For more comprehensive insights, Sophos recommends the full NDR solution or the Managed Detection and Response service(Sophos MDR).

For a detailed demonstration, watch the NDR Essentials video:

YouTube video

Entra ID Single Sign-On: Simplified VPN access

Managing user authentication for VPN access can be complex in large organizations. Sophos Firewall v21.5 introduces Single Sign-On (SSO) integration with Microsoft Entra ID (formerly Azure AD), making it easier to access the VPN Portal and Sophos Connect Client.

This integration uses the OAuth 2.0 and OpenID Connect protocols to enable seamless authentication. Users log in once with their Entra ID credentials and gain access to VPN services without having to re-enter credentials.

Important functions:

  • Support for Sophos Connect Client: Version 2.4 and higher on Windows platforms.
  • Multi-factor authentication (MFA): Fully supported with Entra ID.
  • Uniform configuration: The same Entra ID SSO-Server is used for VPN Portal, SSL VPN and IPsec configurations.

Setup:
To configure Entra ID SSO in Sophos Firewall v21.5, set up the authentication server with the Azure Application ID. Make sure that the URLs for the VPN Portal and remote access are registered as callback URLs in Azure. For the Sophos Connect Client, import a provisioning file that specifies the gateway settings. Here is an example of such a file: 

[
  {
    "gateway": "vpn.domain.com",
    "vpn_portal_port": 443,
    "check_remote_availability": false
  }
]

The “gateway” value must match the callback URL configured in Azure to ensure SSO functionality. This file enables both the traditional login and the SSO option in the Sophos Connect Client.

Why is the provisioning file necessary?
The file ensures that the Sophos Connect Client uses the correct gateway settings and enables the SSO functionality. Without this configuration, the connection may fail or the SSO option may not be displayed.

Restrictions:

  • The function is currently only available for Windows-based Sophos Connect clients.
  • Users migrating from previous SFOS versions with Azure AD SSO will need to add the callback URI for the VPN Portal in the Azure application.
Sophos Firewall v21.5 - Sophos Connect Entra ID (SSO)
Sophos Firewall v21.5 – Sophos Connect Entra ID (SSO)

This feature significantly improves the user experience, especially in environments that already use Entra ID for authentication, and increases security through MFA support.

YouTube video

VPN and scalability improvements

SFOS v21.5 brings several improvements to VPN features and scalability that optimize management and performance:

  • User interface updates: “Site-to-site” VPN connections are now called “policy-based”, and tunnel interfaces are called “route-based” to increase clarity.
  • Improved IP lease pool validation: Optimized checks for SSL VPN, IPsec, L2TP and PPTP to avoid configuration errors.
  • Strict IPsec profile enforcement: Ensures that IPsec connections comply with defined security policies.
  • Increased tunnel capacity: Support for up to 3,000 route-based VPN tunnels and up to 1,000 site-to-site RED tunnels with up to 650 devices. SD-RED-devices.

These improvements make VPN management more intuitive and scalable, especially for larger enterprise environments.

Sophos DNS Protection: Improved integration

Sophos DNS Protection, a “free” service for Xstream Protection customers, receives several updates in Sophos Firewall v21.5:

  • New Control Center widget: Provides a quick overview of the status of DNS protection.
  • Improved troubleshooting: New logs and notifications make problem solving easier.
  • Guided set-up instructions: Step-by-step instructions for easy configuration.

These additions simplify the monitoring and management of DNS-based security assumptions directly from the firewall interface.

Administrative improvements

Sophos Firewall v21.5 introduces several improvements to the user interface and administration:

  • Customizable table columns: Column widths in tables (e.g. SD-WAN, NAT, SSL, Hosts, VPN) are now customizable and remain saved in the browser.
  • Enhanced search functions: Free text search is now available in SD-WAN routes and local ACL rules, making navigation easier.
  • Changes to the default configuration: Default firewall rules and rule groups have been removed, and the default action is set to “None”, which encourages administrators to define explicit security policies.
  • New font: A new font improves the readability of the user interface. (At least that’s what Sophos says, but anyone who knows a bit about fonts and is familiar with them will probably see it differently).

These changes improve the user experience and make the configuration and management of the firewall more efficient.

YouTube video

More improvements

SFOS v21.5 contains a number of other improvements that increase flexibility and security:

  • License updates: Virtual, software and cloud licenses no longer have RAM limitations; instead, they are limited by the number of cores.
  • WAF file size limit: The Web Application Firewall now supports configurable file size limits up to 1 GB, useful for larger uploads.
  • Security telemetry: Real-time monitoring of changes to core operating system files using secure hash validation to detect unauthorized changes.
  • DHCP improvements: Support for larger IPv6 prefixes (/48 to /64), with Router Advertisement (RA) and DHCPv6 enabled by default.
  • Path MTU Discovery: Improved to fix TLS decryption errors, especially for advanced cryptographic methods such as ML-KEM.
  • NAT64 support: Enables the translation of IPv6 to IPv4 traffic in explicit proxy mode, which facilitates IPv6 implementation.

These updates contribute to a more flexible, secure and efficient firewall solution.

Closing words

Sophos Firewall v21.5 offers significant advances in threat detection with NDR Essentials and simplifies user access with Entra ID SSO. Along with improvements in VPN scalability, management and security features, SFOS v21.5 is a robust upgrade for organizations looking to strengthen their network security. The Xstream Protection license is starting to offer more value than when the license was introduced.

SFOS v21.5 is currently still in EAP, i.e. beta, and is not yet suitable for productive use.

Patrizio
Patrizio

Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.