Shopping Cart

No products in the cart.

Sophos UTM Elevated 9.4 – sandbox, user/group rules and WAF cookies

The new firmware version 9.4 for the UTM is in the starting blocks. The final has already been released. Even though the new Sophos Firewall OS (SFOS) operating system was introduced with the XG series, the UTM is far from dead. We can now definitely confirm this to you first hand. We were at the Sophos Roadshow in Zurich last week. Both operating systems are being further developed in parallel, and the UTM roadmap continues at least until 2017. So it doesn’t look like a quick changing of the guard. Especially since it has to be said that we still recommend the SG-Series and would not consider switching until the Sophos Firewall OS update coming in summer 2016.

But let’s take a look at what’s new in the new Sophos UTM Elevated 9.4 firmware.

Sophos UTM Elevated 9.4 innovations

1. sophos sandstorm

The main innovation comes with the sandboxing solution Sandstorm, which we already announced in a previous post. With 9.4, Sandstorm is now integrated into the system and can be activated after purchasing a license. Corresponding licenses can be ordered immediately in our Sophos store for SG Firewall or XG Firewall. Just click on your hardware model and select the new Sandstorm license.

Sophos Sandstorm is currently only available for UTM 9.4. Owners of an XG firewall, with the Sophos Firewall OS, will have to wait a little longer. Sophos Sandstorm is also not included in the FullGuard bundle and must be purchased separately.

Update: Sophos Sandstorm is now available for UTM and SFOS and can be purchased either individually or in a bundle.

What exactly does Sophos Sandstorm do?

Sophos Sandstorm complements Sophos’s existing security products and provides additional protection against advanced persistent threats (APT) and zero-day malware. All files that are downloaded, whether on the web or via Mail Protection are handled as follows.

  1. The firewall generates a hash value of the file and checks whether it has already been examined. If the file has already been checked, it is already determined whether it should be allowed or blocked.
  2. If the file is unknown, it is transferred to Sophos Labs and analyzed. After the analysis, a report is created for this file, showing exactly what the file tried to do. Finally, the file is deleted from the Sophos servers again.
Sophos Sandstorm - How it works

What do I have to imagine by a “sandbox”?

  • Secluded, isolated environment in which (unknown) files are executed. Of course, known malware is blocked right away, so it does not need to be scanned first. But, for example, a new randsomware that downloads and executes code in the background is detected using this technique.
  • Site for behavior-based dynamic maleware analysis. Each file is executed and analyzed, what this does. After that, a report is created and an evaluation is sent.
  • Emulated analysis environment for Windows, Mac and Android
  • Executable files such as (32 or 64-bit), DLLs, Office documents and other file extensions (DF, HWP, XPF, CHM, JAR, APK Archives (ZIP, BZIP, GZIP, RAR, TAR, LHA / LZH, XZ)

2. user/group based ruleset

There are now also new configuration options to define user or group based rules. Until now, it was only possible to assign a fixed IP address to a device via DHCP or directly in the system and then create firewall rules with this object. However, this had the disadvantage that computers that were not assigned to a fixed employee always had the same rule. The Sophos Transparent Authentication Suite (STAS), which is familiar from the XG, is now also available for the UTM. This makes it possible to create transparent authentication for firewall and application rules with Microsoft Active Directory.

3. WAF Persistent Session Cookies

Improves collaboration with web applications and web server farms.

4. IPv6 SSL VPN Support

Adds the often requested support for IPv6 VPN.

All innovations in the video

When is the final release of version 9.4?

The first UTMs will receive the update in March. It will then be available to everyone by April at the latest. If you can’t wait any longer and want to install version 9.4 right now, please feel free to contact us.


Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.