Skip to content
Avanet
Sophos Firewall v21.5 MR1: Focus on Security and Stability

Sophos Firewall v21.5 MR1: Focus on Security and Stability

Sophos Firewall v21.5 MR1 bundles numerous security, stability, and reliability improvements. It also adds targeted changes such as OAuth 2.00 for email notifications, NDR fine-tuning, and high-availability hardening.

New features in SFOS v21.5 MR1

OAuth 2.00 for email notifications

Email notifications can be secured with OAuth 2.00 for Gmail and Microsoft 365. Password authentication is being phased out. The benefits are a smaller attack surface, centralized token management, and traceable access. Configuration is handled under Administration > Notification settings. For Gmail, an app registration in the Google Cloud Console is required (Client ID, Client Secret). The firewall uses refresh tokens for persistent authentication. OAuth 2.00 also enables policy enforcement, multi-factor authentication, and centralized revocation of compromised tokens. It is advisable to migrate SMTP profiles early, send a test message, and configure a fallback mail server. MFA policies should also be reviewed and documented.

Localized scheduled reports

Scheduled PDF reports are generated in the language used when logging in to the web admin interface. This reduces translation effort and makes coordination with business departments easier. Reports are more consistent and can be used in management meetings without additional work.

NDR Essentials: data center selection

The analysis region for NDR Essentials can be selected manually. By default, the region with the lowest latency is used. This helps meet data residency and compliance requirements. In multi-region setups, choosing the right region is important to avoid unwanted data flows. It makes sense to document the selected region, prepare any planned region changes, adjust monitoring, and take data protection policies into account.

NDR Essentials: Threat Score in ATR logs

The Threat Score appears in the Active Threat Response logs. This makes prioritization, correlation, and reporting in SIEM and XDR easier. Score-based alerts enable more granular incident classification.

Sophos Firewall v21.5 MR1 - NDR Essentials Data center location
Sophos Firewall v21.5 MR1 - NDR Essentials Data Center Location

Syslog: device_name corresponds to hostname

The device_name field contains the configured hostname of the firewall. This makes logs easier to attribute in multi-device environments. Integrations with XDR and SIEM become more robust.

Secured High Availability

Strong passphrases are mandatory, and automatic generation is no longer available. In addition, the HA pairing checks the SSH host key of the peer device. This makes man-in-the-middle attacks harder and prevents cluster mix-ups. Improved error output helps with troubleshooting.

LINCE mode in HA

LINCE is a Spanish government security certification that defines minimum cryptographic requirements. LINCE mode enforces an approved selection of algorithms and key lengths on the firewall and affects, among other things, SSH and VPN settings. It is enabled via CLI and restarts the SSH service. In HA environments, LINCE mode must be identical on both devices before HA is configured. When restoring HA backups, the LINCE status of the target devices must match the backup; otherwise, the restore is rejected or the mode is adjusted.

Route-based VPN: automatic XFRM-MTU

The firewall automatically calculates an adjusted MTU for XFRM interfaces by subtracting the IPsec overhead. The goal is less fragmentation and more stable TCP connections. The value can be adjusted. After the upgrade, check the MTU, fine-tune it for provider-specific requirements if necessary, and test critical applications.

Customizable table columns

Many areas in Sophos Firewall v21.5 MR1 support resizable columns, for example Network, SD-WAN routes, Gateways, and Local Service ACL. The widths are saved in the browser and reused in future sessions.

Hotspot vouchers: Sorting and filtering

Vouchers can be sorted by creation date and immediately appear at the top. This makes issuing and checking vouchers easier.

SNMP MIBs: improved RFC compliance

The MIBs are more closely aligned with the RFCs for SNMPv1, v2, and v3. This improves compatibility with monitoring tools and reduces parser errors.

Live Users: unified data units

Data volumes are displayed consistently in KB, MB, and GB. This makes comparisons easier and reduces misunderstandings.

Group import from AD and Entra ID

When importing groups, L2TP and PPTP are no longer enabled automatically. Remote access remains explicitly controllable. This avoids unwanted attack surfaces.

Active Directory SSO: Windows Server 2025

Single Sign-On now supports Windows Server 2025 via NTLM and Kerberos. This makes integration into modern AD environments and hybrid setups with Azure AD easier.

RED System Hosts: correct /32

System host objects for RED now consistently use the /32 subnet mask. Previously, the mask could differ from the configuration set during interface creation. If a RED System Host is used in rules or objects for larger networks, traffic may no longer match after the update. In practice, check dependent firewall rules and host objects and switch to suitable IP or network objects if necessary.

Compatibility and Notes

  • SSL VPN compatibility: No tunnels to SFOS 18.5 and older, Legacy SSL VPN Client, or UTM 9. Alternatives: upgrade, IPsec, or RED.
  • Legacy RED Site-to-Site tunnels of the old generation are no longer supported from SFOS 22 onward. Migration to supported RED Site-to-Site or IPsec tunnels is recommended.
  • Upgrade paths: Follow the official migration paths. Sophos Central can schedule and control upgrades.
  • Create a full backup and rollback plan before every upgrade.

Conclusion

Sophos Firewall v21.5 MR1 is a regular maintenance release with smaller improvements and bug fixes. It stabilizes day-to-day operations and includes detailed corrections. The switch to OAuth 2.00 for email notifications, the NDR region selection, and a quick review of HA and Syslog settings are worthwhile. Overall, this release delivers incremental maintenance for the current release branch. Things should become more interesting again in early December, when SFOS v22 is expected.

References

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.