Homepage » Blog » Sophos Firewall » Sophos SFOS update – New features in v18.0.3 MR3
Sophos Firewall Update - SFOS v18.0 MR3

Sophos SFOS update – New features in v18.0.3 MR3

Admins who have already updated their XG firewall to 17.5 MR13 and MR14 have been waiting for this update for quite some time. But also for all others v18 MR3 comes with 34 bug fixes and some new features.

Upgrade to v18

Currently, there are still two different versions of SFOS being updated by Sophos. There is v17.5 (MR6 — MR14.1) and version 18 (MR1 and MR2).

Users of an XG 85 or XG 105 cannot upgrade to v18 because of insufficient RAM. Therefore, these firewall appliances are also End of Sale and there are corresponding follow-up models. For customers with these older appliances, Sophos continues to keep v17.5 current, at least as far as bug fixes and security updates are concerned.

To benefit from the latest features, it would be recommended to switch to the new models that support v18. To make it easier for customers with older devices, Sophos is offering a Renewal Promo until the end of the year, giving 50% of the new firewall hardware for free. The other option would be to simply wait until 2021 Q2… (SPOILER: New hardware series will be released. 🤫)

But for firewalls that support v18, an update has not been that easy so far. Until now, there was a working migration path to version 18 only for versions 17.5 MR6 to MR12. Those who had already installed MR13 or MR14 meanwhile were confronted with a factory reset when manually updating to v18 and lost their complete configuration.

With v18 MR3 there is an update path again. We also see with our v17.5 customers that the v18 update on the firewall is suggested automatically for the first time. So, Sophos is confident and has gained enough experience with v18 to make the upgrade available to all customers.

Our experience with v18 and v18 MR3 is also very positive. We recommend an upgrade to v18. 🙌

Why v18 is a fantastic release

The same firewall appliance has also become much faster with the software upgrade to v18! 🚀

On the 100 series (XG 86 - XG 135) the web interface has become quite a bit faster, but on the bottom line it is still damn slow! 🐌

VPN performance improvements

SSL VPN performance has been improved with v18 MR3. Now, much more parallel connections are supported on the larger hardware models than on the older SFOS version.

Secure Storage Master Key (SSMK)

If you have completed the update and then log in as admin, the following display appears:

Background to these changes

Sophos found a vulnerability in SFOS several months ago. Even further back there was the problem that with some effort the administrator password could be read from the backup files. As a result, backup encryption was also implemented. Sophos takes this issue very seriously and has put a lot of effort into preventing this from happening again. The planned roadmap was shifted by half a year and the first thing they took care of was the security of their system. The incidents have shown that even a firewall, which is supposed to protect against threats, is vulnerable.

Der Spruch „100-prozentige Sicherheit gibt es nicht“ existiert ja nicht ohne Grund. Viele Filme oder Serien wären dann ja auch sehr langweilig, wenn so eine 100-prozentige Sicherheit existieren würde. 😋

Now with v18 MR3 there is the Secure Storage Master Key. This key can only be created with the admin user. This does not work with another user who has administrator rights. With the definition of this new key, important information is encrypted again. If you want to know exactly what happens here, you can read the Secure Storage Dokument.

So create a secure password and store it securely as well.

Disable captcha

The login window of the firewall has been protected with a captcha since the above mentioned vulnerability for the UserPortal and Admin login.

Mit MR3 kann dieser Bot-Schutz deaktivieren werden. Um dies zu tun, muss man sich auf der Firewall via SSH anmelden und mit der Tastatureingabe „4“ auf die Konsole wechseln.

Here you can activate, deactivate or display the captcha setting for the login windows with the following command.

console> system captcha-authentication-global enable/disable/show for userportal/webadminconsole

Device Access warnings

Like the two functions above, the Device Access warnings are also intended to provide more security.

Unter dem Menüpunkt: „Administration > Device Access“ kann man den Zugriff auf die Firewall-Dienste definieren.

Here you should proceed according to the following principle: Close everything and open consciously. Dadurch, dass z. B. die Checkbox bei „Ping“ oder „User Portal“ aktiviert ist, erlaubt ihr jedem Computer weltweit eure Firewall mittels ICMP oder User Portal zu erreichen.

Of course you can change the settings as before. Now the system shows a warning message. This should make you aware of what you can open to the outside world by activating a checkbox in the WAN zone.

Besser ist es, wenn ihr mit den „Local service ACL exeption rule“ genauer definiert, woher der Traffic erlaubt ist. Wählt z. B. für den Zugriff auf das User Portal nur euer Land aus oder beim Ping nur die IPs, welche die Firewall tatsächlich mittels ICMP erreichen dürfen, sollen, müssen.

Sophos Central Firewall Management

High Availability Cluster View

All listeners to our podcast know that the Central Firewall Manager is a product in which I see a lot of potential. You can still see that it's under development, but with v18 MR3 a really nasty thing is fixed.

HA clusters are now no longer displayed as online and offline devices, but you can now easily see which firewalls have been configured to a cluster.

If you click with the mouse on the status display, you will be shown even more information. This shows that this device is in an active-passive cluster and that it is the Auxiliary Device.

Scheduled Updates

It is now possible to schedule firmware updates via the Central Firewall Manager. UTM Admins know this from the past.

For a planned update, you can also select multiple firewalls simultaneously, which is a huge benefit in larger environments.

Nevertheless, this feature should be used with caution. An update can also cause problems.

In the screenshot above you can see that there are still some updates to be installed in this environment. 😅

If a firewall is in an update process, this is signaled by an animated icon in the overview. With a click on it you get even more information.

Other enhancements

There are more functions in this release, but I won't go into detail about them. But for completeness, I will list them:

  • Sophos Connect Client: You can now add groups instead of just individual users.
  • SFOS now also supports the infrastructure of Nutanix AHV and Nutanix Flow
  • AWS: Support for new instances in the AWS Cloud (C5, M5 and T3)
  • AWS: Support of CloudFormation Templates
  • AWS: Support for Virtual WAN Zones on custom gateways
Shopping Cart
Scroll to Top