In this blog post, you can read all about the new features that await you in the latest firewall update SFOS 18.5 MR2.
Important info: SFOS 17.5 EoL
Before we come to the latest SFOS release 18.5 MR2, short information for all who still use the SFOS version 17.5. This has been end-of-life since November 30, 2021. With the exception of the XG 85(w) and XG 105(w) appliances, as this hardware does not support v18 and is EoL in August 2022 anyway. For all others, update, otherwise there is no support or security updates.
VPN AES-GCM and AES-GMAC
For site-to-site VPN connections, there is a new encryption mode in phase 2.
These new options provide more performance and will be available for remote clients in a later SFOS release.
MFA for admin user
Until now, it was not possible to enable multi-factor authentication (MFA) for the admin account. However, this system user is very vulnerable, since it exists by default on every firewall. With other manufacturers and systems, such as Windows or Synology, it is becoming more and more common to create a user with the username “Admin” or “Administrator”. With SFOS 18.5 MR2 it is now at least possible to enable MFA for web admin access. 👍
For SSH access, only the password is still sufficient. Therefore, it is still important that access is restricted as much as possible.
It is also pointed out that there are users for whom the MFA has not yet been activated.
Central registration with OTP token
The Firewall and Central now belong together like burgers 🍔 with fries 🍟. However, if you don’t have a Central account yet or need to create a new user, it’s over 15 steps and takes a few minutes.
Now, with a few clicks on Central, a token can be created, which can be used to register the firewall in Central.
Sophos Firewalls will get an interactive wizard to help with configurations. At the current time, the wizard offers you help on the following three topics.
- DNAT and firewall rules for the internal web server
- Site-to-Site IPsec VPN
- Remote Access SSL VPN
The three available themes were suggested by Sophos Support, as they seem to receive a lot of requests about them. More instructions will follow in the future and Sophos is open to feedback. So if you have any ideas, please feel free to send them to us via the contact form and we will forward them to you.
- When reinstalling an appliance with the ISO image, a message appears on the firewall LED display after the installation process is complete.
- Certifications – FIPS 140-2 Level 1
- Display of all groups in which a user is located
- Cloudflare is now supported as DynDNS provider
- Switch to disable IPS globally (e.g. for troubleshooting)
If you want to update to the new version or migrate from an XG to an XGS, please have a look at the following websites. They will help to prepare you ideally for the update and clarify important prerequisites.