
Sophos Firewall v21.5 MR1: Security and Stability in Focus
Sophos Firewall v21.5 MR1 bundles numerous security, stability and reliability improvements. In addition, there are targeted innovations such as OAuth 2.0 for email alerts, NDR fine-tuning and HA hardening.
Topics
New functions in SFOS v21.5 MR1
OAuth 2.0 for e-mail notifications
Email notifications can be secured against Gmail and Microsoft 365 with OAuth 2.0. Password authentication is gradually being phased out. Advantages: reduced attack surface, central token management, traceable access. Implementation under Administration > Notification settings. App registration in the Google Cloud Console is required for Gmail (Client ID, Client Secret). The firewall uses refresh tokens for permanent authentication. In addition, OAuth 2.0 enables the use of policies, multi-factor authentication and central revocation of compromised tokens.
It is advisable to migrate SMTP profiles at an early stage, carry out a test mailing and store a fallback mail server; MFA policies should be checked and documented.
Localized scheduled reports
Planned PDF reports are generated in the language that was used when logging into the web admin. This reduces translation work and facilitates coordination with specialist departments. Reports are more consistent and can be used in management meetings without additional effort.
NDR Essentials: Data center selection
The analysis region for NDR Essentials is freely selectable. The region with the lowest latency is the default. This allows data residency and compliance requirements to be met. With multi-region setups, the right choice is crucial to avoid unwanted data flows.
It makes sense to document the selected region, prepare for a planned change, adapt the monitoring and take data protection guidelines into account.
NDR Essentials: Threat Score in ATR logs
The threat score appears in the Active Threat Response logs. This facilitates prioritization, correlation and reporting in SIEM and XDR. Score-based alerts enable a finer classification of incidents.

Syslog: device_name corresponds to hostname
The device_name field contains the configured host name of the firewall. This allows logs to be assigned more clearly in multi-device environments. Integrations with XDR and SIEM become more robust.
Assured high availability
Strong passphrases are mandatory, automatic generation is omitted. In addition, the HA link checks the SSH host key of the partner. This makes man-in-the-middle attacks more difficult and avoids cluster mix-ups. An improved error output supports diagnostics.
LINCE mode in HA
LINCE is a Spanish government security certification that defines minimum cryptographic requirements. LINCE mode enforces a permissible selection of algorithms and key lengths on the firewall and affects SSH and VPN settings, among others. Activation takes place via CLI and restarts the SSH service. In HA environments, LINCE mode must be identical on both devices before HA setup. When restoring HA backups, the LINCE status of the target devices must match the backup, otherwise the restore will be rejected or the mode adjusted.
Route-based VPN: automatic XFRM-MTU
The firewall automatically calculates an adapted MTU for XFRM interfaces by deducting IPsec overhead. The aim: less fragmentation and more stable TCP connections. The value is customizable.
After the upgrade, you should check the MTU, fine-tune it provider-specifically if necessary and test critical applications.
Customizable table columns
Many areas in Sophos Firewall v21.5 MR1 support freely scalable columns, e.g. Network, SD-WAN routes, Gateways or Local Service ACL. The widths are saved in the browser and applied to future sessions.
Hotspot vouchers: sorting and filtering
Vouchers can be sorted by creation date and appear immediately at the top. This facilitates output and control.
SNMP MIBs: improved RFC conformity
The MIBs are more closely aligned with the RFCs for SNMPv1, v2 and v3. This improves compatibility with monitoring tools and reduces parsing errors.
Live Users: standardized data units
Data volumes are displayed uniformly in KB, MB and GB. This makes comparisons easier and reduces misunderstandings.
Group import from AD and Entra ID
L2TP and PPTP are no longer activated automatically during group import. Remote access remains explicitly controllable. This prevents unwanted attack surfaces.
Active Directory SSO: Windows Server 2025
Single sign-on now supports Windows Server 2025 via NTLM and Kerberos. This facilitates integration into modern AD environments and hybrid setups with Azure AD.
RED system hosts: correct /32
System host objects for RED now consistently use the subnet mask /32. Previously, the mask could differ from the configuration set when the interface was created. If a RED system host is used in rules or objects for larger networks, the traffic can no longer be matched after the update.
It is practical to check dependent firewall rules and host objects and switch to suitable IP or network objects if necessary.
Compatibility and notes
- SSL VPN compatibility: No tunnels to SFOS 18.5 and older, Legacy SSL VPN Client or UTM 9. Alternative: Upgrade, IPsec or RED.
- Legacy RED site-to-site tunnels of the old generation are no longer supported as of SFOS 22. Migration to supported RED Site-to-Site or IPsec tunnels is recommended.
- Upgrade paths: Follow official migration paths. Sophos Central can plan and control upgrades.
- Create a complete backup and rollback plan before every upgrade.
Conclusion
Sophos Firewall v21.5 MR1 is a regular maintenance release with minor improvements and bug fixes. It stabilizes ongoing operation and includes detailed corrections. The switch to OAuth 2.0 for email notifications, the selection of the NDR region and a brief check of the HA and syslog settings are useful. Overall, these are incremental adjustments to maintain the current release branch. It will be exciting again at the beginning of December when SFOS v22 is released.
Further links
- Avanet Blog: Sophos Firewall v21.5
- Avanet KB: Sophos Firewall firmware update – preparation and best practices
- Avanet KB: Updating the firmware on the Sophos Firewall (Firmware Update)