Skip to content
Avanet
Sophos Firewall v22 MR1: Overview and all new features

Sophos Firewall v22 MR1: Overview and all new features

1. MAY 2026

Sophos Firewall v22 MR1 builds on the Secure by Design strategy introduced with v22 and adds further telemetry, curated NDR detections from the Taegis environment, and a number of targeted improvements for VPN, SSO, and storage. Sophos Firewall Config Studio V2 is also introduced as a standalone tool that significantly simplifies configuration analysis and comparison.

Secure by Design: extended XDR Linux sensor

With v22, Sophos introduced the XDR Linux sensor on the firewall to detect system tampering at an early stage, for example changes to configuration files or critical processes. SFOS v22 MR1 extends the sensor with detection for interactive shells and reverse shells. If an attacker attempts to establish a controlling session on the firewall after a compromise, the associated TCP or UDP communication to the command-and-control server is blocked. The sensor is now also enabled across the entire XGS series, rather than only on selected models.

Reverse shell detection has been standard on endpoints for years. Running the same logic directly on the firewall is consistent and important. In the worst case, a compromised firewall is a master key into the network. Every additional detection layer on the device itself is more valuable there than downstream correlation alone.

NDR Active Threat Intelligence (iSensor IPS)

SFOS v22 MR1 integrates iSensor IPS technology from the SecureWorks Taegis platform. These curated detections complement the classic IPS signature set with patterns focused on active attackers inside the network, including lateral movement, C2 communication, and similar post-compromise activity.

The set can be enabled under Active threat response > NDR. The corresponding option then has to be selected in the IPS settings of the firewall rules for the new detections to take effect. For XDR and MDR analysts, this means more context and shorter investigation paths because the detections map directly to known adversary TTPs from the Taegis database.

NDR Essentials for all platforms

A question that has come up repeatedly since v21.5: When will NDR Essentials also support virtual and cloud firewalls? With v22 MR1, the answer is now. NDR Essentials runs on all Sophos Firewall platforms: XGS hardware, virtual appliances, cloud deployments, and software installations. This removes the last major restriction that previously excluded virtual setups from NDR protection.

This is the logical continuation of the CPU-oriented architecture introduced in v22. Anyone running a Sophos Firewall on VMware, Hyper-V, or a hyperscaler was previously left out when it came to NDR Essentials. That gap is now closed.

Audit trail with Sophos Central user identity

When an individual firewall is configured through Sophos Central, SFOS v22 MR1 now also logs which Sophos Central user triggered the change. Previously, the Audit Trail often showed only the generic Central account. With the new behavior, it is possible to trace the person behind a configuration change, even if it was not made directly in the firewall’s web admin interface. The information appears both in the firewall Log Viewer and in Sophos Central logs and reports.

This is particularly relevant for organizations subject to NIS2, where traceability of administrative actions is an explicit requirement. In MSP environments with multiple technicians working in the same tenant, it is a long-overdue detail anyway.

VPN stability and retirement of legacy IPsec

SFOS v22 GA had a number of stability issues with policy-based IPsec VPNs, which were addressed in MR1. Specifically, the internal tickets NC-177450, NC-174800, NC-177136, NC-174304, NC-172504, NC-173054, and NC-176083 were fixed. Anyone who was running v22 GA in production and noticed outages or disconnects in policy-based tunnels should check after the update whether the tunnels are now stable.

At the same time, the Legacy Remote Access IPsec VPN is finally being discontinued with v22 MR1. Firewalls that still rely on this old IPsec variant cannot be updated to v22 MR1 or newer. Anyone affected must first migrate to the current Remote Access IPsec configuration – Sophos has published a separate KB article on this.

In practice, most existing setups have long since moved to the newer variant or to SSL VPN. Even so, it is worth checking the configuration before upgrading, otherwise the update will stop.

Sophos Connect 2.0 for macOS

With Sophos Connect 2.0 for macOS, SSL VPN connections can now also be used for remote access. Until now, SSL VPN via Sophos Connect was available only on Windows, while macOS users had to use IPsec or third-party clients. This further aligns the feature set across the two client platforms. Details and supported macOS versions can be found in the Sophos Connect release notes.

Microsoft Entra ID SSO: forced re-evaluation

Previously, an existing SSO session could be reused under certain conditions without the Conditional Access Policies in Entra ID being evaluated again. In the worst case, this opened a path to bypass MFA requirements if the session cookies were still valid. SFOS v22 MR1 now forces Conditional Access Policies to be re-evaluated when a session is reused. This is a classic security fix: not very visible, but important for environments that use Entra ID as their central identity source and rely on MFA.

SSD protection and Wi-Fi MTU

Two smaller but useful improvements:

  • SSD lifespan: Write operations to the internal SSD have been optimized. This primarily affects devices with high logging volumes and extends the useful life of the hardware.
  • Wi-Fi MTU/MSS: The existing CLI commands can now also be used to adjust MTU and MSS values for Wi-Fi interfaces. This is a welcome tool in environments with overlapping tunnels or problematic paths in the Wi-Fi backhaul.

Sophos Firewall Config Studio V2

Sophos Firewall Config Studio V2 (previously Sophos Firewall Configuration Viewer) is a browser-based tool that does significantly more than its predecessor. It supports three main workflows:

  • Configuration Report: All rules, policies, and settings of a firewall can be displayed in a consolidated report. Useful for audits, handovers, or onboarding new admins.
  • Configuration Compare: Two configurations can be compared directly. Added, changed, removed, and unchanged entries are visually highlighted. This is exactly the tool that has been missing for change reviews or post-migration troubleshooting when you do not want to pick apart a live firewall configuration.
  • Configuration Editor: Configurations can be edited or imported directly in the tool. They can then be loaded back into the firewall or exported as an API or curl snippet, for example to roll out changes automatically.

A configuration diff directly in the browser has been requested for years. Anyone who has ever tried to compare two Sophos backups manually knows why this tool is a real step forward. It will be interesting to see how stable the editor is with large configurations and how well the API export fits into existing automation pipelines.

The tool can be accessed via docs.sophos.com.

Updated CIS benchmark for v22

The Health Check introduced with v22 is based on CIS benchmarks. The underlying benchmarks have been updated for v22 and are available for download on the CIS website. Anyone using the Health Check as part of internal audits should use the new version as a reference.

Compatibility and notes

  • Legacy Remote Access IPsec VPN: Retired with v22 MR1. Migration to the current Remote Access IPsec configuration is a prerequisite for the upgrade.
  • Upgrade paths: SFOS v22 MR1 can be upgraded from all supported v21.5, v21 and v20 versions. Sophos Central can schedule and control the upgrade.
  • Backup before upgrade: As always, make a complete backup before the update and have a rollback plan ready.
  • Hotfix mechanism: Security-relevant patches continue to be released as over-the-air hotfixes without downtime. However, maintenance releases also bundle non-critical fixes – so an upgrade is worthwhile even without an acute reason.

Conclusion

Sophos Firewall v22 MR1 is a solid maintenance release. The most important points from our perspective are the VPN stability fixes for policy-based IPsec, the extended NDR Essentials support for virtual platforms, and the new Audit Trail with Sophos Central user identity. Reverse shell detection on the firewall itself and the curated iSensor detections from the Taegis environment fit well with the direction Sophos started with v22: the firewall is gradually becoming a sensor platform that provides telemetry, not just a device that filters packets.

What we are still missing has not changed since v22: cloning and grouping NAT rules. The wishes we formulated around a year ago have been partially implemented, while the rest remains on the list. Perhaps in the next MR or by v23 at the latest. Or perhaps Sophos will now pursue a strategy of moving everything into Sophos Firewall Config Studio while the firewall UI stays as it is.

More information

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.