Shopping Cart

No products in the cart.

Sophos Firewall Update - SFOS v18.5 MR2

Sophos SFOS update – new features in v18.5.2

In this blog post, you can read all about the new features that await you in the latest firewall update SFOS 18.5 MR2.

Important info: SFOS 17.5 EoL

Before we come to the latest SFOS release 18.5 MR2, short information for all who still use the SFOS version 17.5. This has been end-of-life since November 30, 2021. With the exception of the XG 85(w) and XG 105(w) appliances, as this hardware does not support v18 and is EoL in August 2022 anyway. For all others, update, otherwise there is no support or security updates.

VPN AES-GCM and AES-GMAC

For site-to-site VPN connections, there is a new encryption mode in phase 2.

SFOS 18.5.2 AES-GCM / AES-GMAC
New AES-GCM and AES-GMAC options in Phase 2 encryption.

These new options provide more performance and will be available for remote clients in a later SFOS release.

MFA for admin user

Until now, it was not possible to enable multi-factor authentication (MFA) for the admin account. However, this system user is very vulnerable, since it exists by default on every firewall. With other manufacturers and systems, such as Windows or Synology, it is becoming more and more common to create a user with the username “Admin” or “Administrator”. With SFOS 18.5 MR2 it is now at least possible to enable MFA for web admin access. 👍

SFOS 18.5.2 MFA settings
Enable MFA for web admin access.

For SSH access, only the password is still sufficient. Therefore, it is still important that access is restricted as much as possible.

SFOS 18.5.2 MFA notification
Conspicuous indication when accounts without MFA are present.

It is also pointed out that there are users for whom the MFA has not yet been activated.

Central registration with OTP token

The Firewall and Central now belong together like burgers 🍔 with fries 🍟. However, if you don’t have a Central account yet or need to create a new user, it’s over 15 steps and takes a few minutes.

SFOS 18.5.2 Central OTP Token

Now, with a few clicks on Central, a token can be created, which can be used to register the firewall in Central.

Sophos Wizard

Sophos Firewalls will get an interactive wizard to help with configurations. At the current time, the wizard offers you help on the following three topics.

  • DNAT and firewall rules for the internal web server
  • Site-to-Site IPsec VPN
  • Remote Access SSL VPN

The three available themes were suggested by Sophos Support, as they seem to receive a lot of requests about them. More instructions will follow in the future and Sophos is open to feedback. So if you have any ideas, please feel free to send them to us via the contact form and we will forward them to you.

Sophos Assistant in Sophos Firewall
Sophos Assistant in SFOS

More improvements

  • When reinstalling an appliance with the ISO image, a message appears on the firewall LED display after the installation process is complete.
  • Certifications – FIPS 140-2 Level 1
  • Display of all groups in which a user is located
  • Cloudflare is now supported as DynDNS provider
  • Switch to disable IPS globally (e.g. for troubleshooting)
SFOS 18.5.2 global IPS switch
Disable IPS Protection globally

More information

If you want to update to the new version or migrate from an XG to an XGS, please have a look at the following websites. They will help to prepare you ideally for the update and clarify important prerequisites.

Patrizio
Patrizio

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.