Skip to content
Avanet
Sophos SFOS update - new features in v18.5.2

Sophos SFOS update - new features in v18.5.2

3. DECEMBER 2021

In this blog post you find out about the changes waiting for you in the latest SFOS 18.5 MR2 firewall update.

Important information: SFOS 17.5 EoL

Before looking at the latest SFOS 18.5 MR2 release, a brief message for everyone still running SFOS version 17.5. It has been end-of-life since 30 November 2021. The only exceptions are the XG 85(w) and XG 105(w) appliances, because this hardware does not support v18 and will reach EoL anyway in August 2022. For all others the rule is: update, otherwise you no longer get support or security updates.

VPN AES-GCM and AES-GMAC

For site-to-site VPN connections there is a new encryption mode in Phase 2.

SFOS 18.5.2 AES-GCM / AES-GMAC
New AES-GCM and AES-GMAC options for Phase 2 encryption.

These new options provide better performance and will also be available for remote clients in a later SFOS version.

MFA for admin users

Up to now, you could not enable multi-factor authentication (MFA) for the admin account. This system user is very exposed, because the account exists by default on every firewall. With other vendors and systems such as Windows or Synology, admins are moving away from creating a user with the username “Admin” or “Administrator”. With SFOS 18.5 MR2 it is now at least possible to enable MFA for web admin access. 👍

SFOS 18.5.2 MFA settings
Enable MFA for web admin access.

For SSH access a password alone is still sufficient. It therefore remains important to restrict access as much as possible.

SFOS 18.5.2 MFA notification
Prominent warning when accounts without MFA exist.

You are also notified if there are users for whom MFA has not yet been enabled.

Central registration with OTP token

The firewall and Central now belong together like burgers 🍔 and chips 🍟. However, if you do not yet have a Central account or need to create a new user, there are more than 15 steps and it takes a few minutes.

SFOS 18.5.2 Central OTP token

You can now create a token in Central with just a few clicks and use it to register the firewall in Central.

Sophos Assistant

Sophos firewalls are getting an interactive assistant designed to help with configuration. At the moment the assistant offers help with the following three topics:

  • DNAT and firewall rules for an internal web server
  • Site-to-site IPsec VPN
  • Remote access SSL VPN

The Sophos Support team suggested the three available topics because they apparently receive many requests about them. More guides will follow in future and Sophos is open to feedback. If you have ideas, you are welcome to send them to us via the contact form and we pass them on.

Sophos Assistant in Sophos Firewall
Sophos Assistant in SFOS.

Further improvements

  • When an appliance is reinstalled with the ISO image, a message now appears on the firewall’s LED display after the installation process has completed.
  • Certifications – FIPS 140-2 Level 1
  • Display of all groups a user is a member of
  • Cloudflare is now supported as a DynDNS provider
  • Toggle to disable IPS globally (for example for troubleshooting)
SFOS 18.5.2 global IPS toggle
Disable IPS protection globally.

Further information

If you want to update to the new version now or migrate from an XG to an XGS, you should first take a look at the pages below. They help you prepare properly for the update and clarify important prerequisites.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.