Sophos SFOS update: New features in v18.0.3 MR3
Admins who have already updated their XG firewall to 17.5 MR13 and MR14 have been waiting for this update for quite some time. But also for all others v18 MR3 comes with 34 bug fixes and some new features.
Upgrade to v18
Currently, there are still two different versions of SFOS being updated by Sophos. There is v17.5 (MR6 — MR14.1) and version 18 (MR1 and MR2).
Users of an XG 85 or XG 105 cannot upgrade to v18 because of insufficient RAM. Therefore, these firewall appliances are also End of Sale and there are corresponding follow-up models. For customers with these older appliances, Sophos continues to keep v17.5 current, at least as far as bug fixes and security updates are concerned.
To benefit from the latest features, it would be recommended to switch to the new models that support v18. To make it easier for customers with older devices, Sophos is offering a Renewal Promo until the end of the year, giving 50% of the new firewall hardware for free. The other option would be to simply wait until 2021 Q2… (SPOILER: New hardware series will be released. 🤫)
But for firewalls that support v18, an update has not been that easy so far. Until now, there was a working migration path to version 18 only for versions 17.5 MR6 to MR12. Those who had already installed MR13 or MR14 meanwhile were confronted with a factory reset when manually updating to v18 and lost their complete configuration.
With v18 MR3 there is an update path again. We also see with our v17.5 customers that the v18 update on the firewall is suggested automatically for the first time. So, Sophos is confident and has gained enough experience with v18 to make the upgrade available to all customers.
Our experience with v18 and v18 MR3 is also very positive. We recommend an upgrade to v18. 🙌
Why v18 is a fantastic release
- In SFOS v18 there are some new functions
- With SFOS v18 there are new features for the Central Firewall Management
The same firewall appliance has also become much faster with the software upgrade to v18! 🚀
On the 100 series (XG 86 - XG 135) the web interface has become quite a bit faster, but on the bottom line it is still **damn slow! 🐌
VPN performance improvements
SSL VPN performance has been improved with v18 MR3. Now, much more parallel connections are supported on the larger hardware models than on the older SFOS version.
Secure Storage Master Key (SSMK)
If you have completed the update and then log in as admin, the following display appears:
Background to this changes
Sophos found a vulnerability in SFOS several months ago. Even further back there was the problem that with some effort the administrator password could be read from the backup files. As a result, backup encryption was also implemented. Sophos takes this issue very seriously and has put a lot of effort into preventing this from happening again. The planned roadmap was shifted by half a year and the first thing they took care of was the security of their system. The incidents have shown that even a firewall, which is supposed to protect against threats, is vulnerable.
The saying “100% security does not exist” does not exist without reason. Many movies or series would be very boring if such a 100 percent security would exist. 😋
Now with v18 MR3 there is the Secure Storage Master Key. This key can only be created with the admin user. This does not work with another user who has administrator rights. With the definition of this new key, important information is encrypted again. If you want to know exactly what happens here, you can read the Secure Storage Dokument.
So create a secure password and store it securely as well.
The login window of the firewall has been protected with a captcha since the above mentioned vulnerability for the UserPortal and Admin login.
With MR3 this bot protection can be disabled. To do this, you have to log on to the firewall over SSH and switch to the console with keyboard input ‘4’.
Here you can activate, deactivate or display the captcha setting for the login windows with the following command.
console> system captcha-authentication-global enable/disable/show for userportal/webadminconsole
Device Access warnings
Like the two functions above, the Device Access warnings are also intended to provide more security.
In the menu: ‘Administration > Device Access’ you can define the access to the firewall services.
Here you should proceed according to the following principle: Close everything and open consciously. For example, by activating the checkbox at ‘Ping’ or ‘User Portal’, you allow every computer worldwide to access your firewall via ICMP or User Portal.
Of course you can change the settings as before. Now the system shows a warning message. This should make you aware of what you can open to the outside world by activating a checkbox in the WAN zone.
It is better to define more precisely where the traffic is allowed from with the ‘Local service ACL exeption rule’. For example, select only your country for accessing the user portal or, when pinging, only those IPs that are actually allowed to reach the firewall via ICMP.
Sophos Central Firewall Management
High Availability Cluster view
All listeners to our podcast know that the Central Firewall Manager is a product in which I see a lot of potential. You can still see that it’s under development, but with v18 MR3 a really nasty thing is fixed.
HA clusters are now no longer displayed as online and offline devices, but you can now easily see which firewalls have been configured to a cluster.
If you click with the mouse on the status display, you will be shown even more information. This shows that this device is in an active-passive cluster and that it is the Auxiliary Device.
It is now possible to schedule firmware updates via the Central Firewall Manager. UTM Admins know this from the past.
For a planned update, you can also select multiple firewalls simultaneously, which is a huge benefit in larger environments.
Nevertheless, this feature should be used with caution. An update can also cause problems.
In the screenshot above you can see that there are still some updates to be installed in this environment. 😅
If a firewall is in an update process, this is signaled by an animated icon in the overview. With a click on it you get even more information.
There are more functions in this release, but I won’t go into detail about them. But for completeness, I will list them:
- Sophos Connect Client: You can now add groups instead of just individual users.
- SFOS now also supports the infrastructure of Nutanix AHV and Nutanix Flow
- AWS: Support for new instances in the AWS Cloud (C5, M5 and T3)
- AWS: Support of CloudFormation Templates
- AWS: Support for Virtual WAN Zones on custom gateways