Sophos SFOS update - New features in v18.5.2
Sophos Firewall

Sophos SFOS update - New features in v18.5.2

Patrizio - 3. Dezember 2021

In this blog post, you can read all about the changes that await you in the latest firewall update SFOS 18.5 MR2.

Important: SFOS 17.5 EoL

Before we come to the latest SFOS release 18.5 MR2, short information for all who still use the SFOS version 17.5. This version is end-of-life since November 30, 2021. With the exception of the XG 85(w) and XG 105(w) appliances, as this hardware does not support v18 and is EoL in August 2022 anyway. For all others keep updating, otherwise there will be no support or security updates.


For site-to-site VPN connections, there is a new encryption mode in phase 2.

New AES-GCM and AES-GMAC options in Phase 2 encryption.

These new options provide more performance and will be available for remote clients in a later SFOS release.

MFA for admin user

Until now, it was not possible to enable multi-factor authentication (MFA) for the admin account. However, this system user is very vulnerable, since it exists by default on every firewall. With other manufacturers and systems, such as Windows or Synology, it is becoming more and more uncommon to create a user with the username "Admin" or "Administrator". With SFOS 18.5 MR2 it is now at least possible to enable MFA for web admin access. 👍

Enable MFA for web admin access.

For SSH access, you still only need the password. Therefore, it is still important that access is restricted as much as possible.

Prominent notice when accounts without MFA are present.

It is also pointed out that there are users for whom the MFA has not yet been activated.

Central registration with OTP token

The firewall and Central now belong together like burgers 🍔 with fries 🍟. However, if you don't have a Central account yet or have to create a new user, this is over 15 steps and takes a few minutes.

Generate token for firewall registration in Central.

Now, with a few clicks on Central, a token can be created, which can be used to register the firewall in Central.

Sophos Assistant

Sophos Firewalls are getting an interactive assistant to help with configurations. At this time, the assistant provides help on the following three topics.

  • DNAT and firewall rules for the internal web server
  • Site-to-site IPsec VPN
  • Remote Access SSL VPN

The three available topics were suggested by Sophos Support, as they seem to receive a lot of requests about them. More instructions will follow in the future and Sophos is open to feedback. So if you have any ideas, please feel free to send them to us via the contact form and we will forward them to Sophos.

Other improvements

  • When reinstalling an appliance with the ISO image, a message appears on the firewall LED display after the installation process is complete.
  • Certifications - FIPS 140-2 Level 1
  • Display of all groups a user is in
  • Cloudflare is now supported as DynDNS provider
  • Switch to disable IPS globally (e.g. for troubleshooting)

Disable IPS Protection globally

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.