Admins who have already updated their XG Firewall to 17.5 MR13 and MR14 have been waiting for this update for quite some time. But also for all others v18 MR3 brings along 34 bugfixes and some new features.
Upgrade to v18
Currently, there are still two different versions of SFOS, which are updated by Sophos. There is v17.5 (MR6 – MR14.1) and version 18 (MR1 and MR2).
Users of an XG 85 or XG 105 cannot upgrade to v18 due to insufficient RAM. That’s why these firewall appliances are also end of sale and there are corresponding successor models. For customers with these older devices, Sophos continues to keep v17.5 up to date, at least in terms of bug fixes and security updates.
To benefit from the latest features, it would be advisable to switch to the new models that support v18. To make this decision easier for customers with older devices, Sophos is offering a renewal promo until the end of the year, with which you get 50% of the new firewall hardware for free. The other option would be to simply wait until 2021 Q2….(SPOILER: New hardware series to be released. 🤫)
For firewalls that support v18, however, updating has not been so easy. Until now, there was only a working migration path to version 18 for versions 17.5 MR6 to MR12. Anyone who had already installed MR13 or MR14 in the meantime was confronted with a factory reset when manually updating to v18 and lost their complete configuration.
With v18 MR3 there is an update path again. Also, for our v17.5 customers, we see that the v18 update is automatically suggested on the firewall for the first time. So Sophos is confident and has gained enough experience with v18 to make the upgrade available to all customers.
Our experiences with v18 and v18 MR3 are also quite positive. We therefore recommend an upgrade to v18. 🙌
Why v18 is a really good release?
- In SFOS v18 there are some new features
- With SFOS v18 there are new features for the Central Firewall Management
The same firewall appliance has also become a lot faster with the software upgrade to v18! 🚀
On the 100 series (XG 86 – XG 135), the web interface has become quite a bit faster, but the bottom line is still damn slow! 🐌
VPN performance improvements
SSL VPN performance has been improved in v18 MR3. Many more parallel connections are now supported on the larger hardware models than with the older SFOS version.
Secure Storage Master Key (SSMK)
After performing the update and logging in as admin afterwards, the following display appears:
Background to these changes
Sophos had a vulnerability in SFOS a few months ago. Even further back, there was the problem that the administrator password could be read from the backup files with some effort. As a result, backup encryption was also introduced. Sophos takes this matter very seriously and has therefore also made some effort to ensure that something like this does not happen again. The planned roadmap was postponed by half a year, and the security of the company’s own system was taken care of first. The incidents have shown that even a firewall, which is supposed to protect against threats, is vulnerable.
The saying “100 percent certainty does not exist” does not exist without reason. Many films or series would be very boring if there were such a 100 percent certainty. 😋
Now, with v18 MR3, the Secure Storage Master Key is available. This key can be created only with the admin user. This does not work with another user who has administrator rights. With the definition of this new key, important information is additionally encrypted. If you want to know exactly what happens here, you can read about it in the Secure Storage document.
So create a secure password and save it securely as well.
The firewall login window has been equipped with a captcha since the above-mentioned vulnerability for the UserPortal and Admin login.
With MR3 this bot protection can be disabled. To do this, you need to log in to the firewall via SSH and switch to the console by typing “4”.
Here you can use the following command to enable, disable or show the captcha setting for the login windows.
console> system captcha-authentication-global enable/disable/show for userportal/webadminconsole
Device Access Warnings
Like the upper two functions, the Device Access warnings are also intended to provide more security.
Under the menu item: “Administration > Device Access” you can define the access to the firewall services.
Here you should proceed according to the following principle: Close everything and open consciously. For example, by checking the box for “Ping” or “User Portal”, you allow any computer in the world to reach your firewall via ICMP or User Portal.
Of course, you can change the settings as before. The system now issues a warning message. This should make you aware of what you are opening up to the outside world by activating a checkbox in the WAN zone.
It is better to use the “Local service ACL exeption rule” to define more precisely where traffic is allowed from. For example, for access to the user portal, select only your country, or for pinging, select only the IPs that may, should, must actually reach the firewall via ICMP.
Sophos Central Firewall Management
High Availability Cluster View
All listeners of our podcast know that Central Firewall Manager is a product in which I see a lot of potential. You can still tell this one is in development, but v18 MR3 fixes a really unattractive thing.
HA clusters are now no longer displayed as online and offline, but it is now easy to see which firewalls have been configured to form a cluster.
If you click with the mouse on the status display, you will be shown even more information. This shows that this device is in an active-passive cluster and that it is the Auxiliary Device.
It is now possible to schedule firmware updates via the Central Firewall Manager. UTM admins know this from the past.
For a planned update, you can also select multiple firewalls at the same time, which is an enormous relief in larger environments.
Nevertheless, this feature should be taken with a grain of salt. An update can also cause problems sometimes.
In the screenshot above, you can see that some updates still need to be installed in this environment. 😅
If a firewall is in an update process, this is indicated by an animated icon in the overview. Click on it to get even more information.
There are more features to this release, but I won’t go into them in detail. For the sake of completeness, however, I still list them:
- Sophos Connect Client: Groups can now be added, not just individual users.
- SFOS now also supports Nutanix AHV and Nutanix Flow infrastructure
- AWS: Support for new instances in the AWS Cloud (C5, M5 and T3)
- AWS: CloudFormation Templates Support
- AWS: Support for Virtual WAN Zones on Custom Gateways