In early November we installed the second beta of the new SFOS 17.5 firmware and took a closer look at it. At the Sophos Roadshow in March 2018 in Dübendorf it was still mentioned that there were versions 17.2 and 17.3, but Sophos has decided to pack all the planned features together and take the plunge to version 17.5 right away.
We can anticipate one thing from this report: The SFOS 17.5 is causing us rather mixed feelings. There are cool new features, but from our point of view they weren't always thought through to the end.
Lateral Movement Protection
Since the first version of Synchronized Security, it has been possible for the Endpoint Client to share its status with the firewall. Thanks to this feature, we can deny a workstation that has not received updates for a long time, or is already infected, access to the file server or the Internet, in order not to compromise other systems.
However, such a configuration previously also required good network segmentation. If all devices in a company are connected to the same switch and they are on the same network, the Security Heartbeat has not really had an effect until now.
With SFOS 17.5 this feature was extended and improved. It is now also possible to isolate computers that Synchronized Security classified as "unhealthy" from other computers in the same broadcast domain or network. The firewall automatically informs all other clients if there is a problem with one client. So now not only the firewall knows if something is wrong with one client, but also all other clients in the network. This allows an infected device to be isolated even more effectively until the problem has been resolved. As soon as the security heartbeat status changes back to "green", the connection to other systems in the network is automatically re-established.
In addition, IPS detection of vulnerable endpoints can now trigger a "red" heartbeat. This further improves network threat protection.
Forwarding Portal URL
During my tests I noticed a feature that was smuggled into the new version, because it is not mentioned anywhere in the release notes.
I'm sure you're all familiar with that. When a web page is blocked by the Sophos web proxy, a warning page is displayed to the user. If the user wants to access the page anyway, an IP address would hide behind the link instead of a normal URL. In version 17.1, this could at least be changed from the console. With 17.5 this can now be done conveniently via the web interface of the XG firewall. 👍
Switching from an IP address to a web URL only works for the web part! If the XG firewall scans your emails, for example, it is common for users to receive a quarantine report from the firewall. This will tell you which emails Sophos Firewall has blocked. By clicking on a link, you can manually release the supposed spam message. But this link is still an IP address, which works technically but gives the user a certificate warning.
Switching from an IP address to a web URL was not finished for the email part. I have received feedback from Sophos that it may be delivered with MR1 or MR2 and that the developers are working on it. I'd rather bet on MR2 here, which we can expect around January or February.
Synchronized User ID
EOne of the most common tasks that a firewall has to perform is to transport traffic from A to B, provided that a firewall rule has been created for this purpose. The traffic comes and goes to one IP address at a time. As administrators, we would like to know from which devices the traffic is generated or even better from which user. This helps us to create user-based firewall rules, network transparency or more understandable reports.
On the SFOS there are several ways to recognize the user. In the past, we used the connection to an Active Directory server, which forwarded the user information through an installed agent of the XG firewall. In some environments, however, the agent was not an option.
With SFOS v17.5, endpoints on an Active Directory domain can now share user identity with the firewall via the Security Heartbeat. This makes user identification seamless and easy without the need to deploy an agent to the domain controllers. This feature can be very helpful in many situations.
Terminal servers or Linux hosts are not covered by this solution. For the former, STAC is still the best solution. However, the exceptions are large. Mac clients do not work with an Active Directory and VPN users do not log on to it.
You can only benefit from this feature if one of these products is installed on the clients:
- Sophos Central Endpoint Protection
- Sophos Central Endpoint Intercept X
- Sophos Central Intercept X Advanced
In my opinion, it becomes interesting when clients that are not in a domain share their user data with the XG. This feature only solves a very small problem.
Sophos Connect IPSec VPN Client
Our post Install SSL VPN Client is one of the most popular posts in our knowledge base. For many of our customers, VPN was one of the most popular requirements before purchasing a Sophos Firewall.
As described in this guide, we currently use Sophos's SSL VPN client very often. However, it can only be installed on Windows computers. Until now, macOS required the use of third-party tools such as Tunnelblick.
With Sophos Connect, Sophos is now introducing its own IPsec VPN client, as other vendors are doing. Sophos Connect also supports Synchronized Security. While this has worked with the SSL VPN client to date, it has required additional configuration.
Here is a screenshot of what the Sophos Connect IPsec VPN client settings look like on the XG firewall:
Sophos Connect is currently in beta and the client is currently available for Windows and macOS. Here is a screenshot of the Mac and Windows clients:
The new IPsec VPN client from Sophos comes with "Sophos Connect Admin" as an additional tool. This allows you to edit a config file later and, for example, customize the hostname or enable 2FA.
Sophos Central Management
With the new SFOS 17.5 firmware a long made promise is finally kept. The Sophos Central platform can now also be used to manage the XG firewall. Certainly the right step, but the features are still limited in the first version.
To connect your central account to the firewall, you must first enable central management on the XG firewall.
Update 20.11.2018 Sophos Central has now received an update, which now displays the 'Firewall Management' menu item. By enabling Central Management on our XG firewall, we were able to successfully integrate the device into our Sophos Central account.
If you connect to the firewall via Sophos Central, you are then logged on to the firewall as admin. The downside is that, in theory, other users who have access to Sophos Central Admin can now access the firewalls. It is enough for these users to have read-only permission. We hope that in the future it will be possible to control more precisely who has the right to log on to the firewalls via Central.
Firewall management via SSO
If you have Central Management enabled on your firewall, you can log in to Sophos XG Firewall directly from the Central interface without having to log in.
By default, Central Management also stores the backups of your firewall on Central. If you don't want this, you can simply disable this feature on your XG Firewall.
If the firewall has been linked to Central, you will also see the firewall messages in the Central Dashboard. These include interface or VPN failures, resource utilization, license notifications, and security alerts.
From Sophos Central, you can update your firewall firmware to the latest version with a single click.
Light-Touch Deployment (Zero-Touch Deployment)
The "Light-Touch Deployment" is a really cool thing! In the future it will be possible to configure a new XG firewall via Central. First you click your way through a small wizard that spits out an XG config file at the end. This configuration can then be downloaded and copied to a USB stick. Then the new firewall has to be started with this stick and the configuration is transferred. If you have done everything correctly, you can access the firewall via Sophos Central and perform the remaining configurations.
Light-Touch Deployment" will make it a lot easier for us to set up XG Firewalls for our customers in the future. For our setup and configuration service we have the firewalls delivered to our office and create the basic configuration directly on the devices. Then we send them to the customer, who only has to take the firewall onto the network. With the "Light-Touch Deployment" we can skip the shipping of the hardware to us in the future and are therefore at least one day faster. 😎
Since this workflow requires a Central Account, we will probably not be able to apply this procedure to every new customer.
Synchronized Security – Synchronized Application Control improvements
Synchronized Application Control was first introduced in Version 17.0 and further improved in Version 17.1. With this feature, Sophos wanted to provide a solution to the basic problem that a large proportion of network traffic is still difficult to control and can pass through the firewall relatively undetected even with HTTP/HTTPS scanning. With Synchronized Application Control, the endpoint tells the firewall exactly what software is causing the traffic. This makes it much easier to classify network traffic.
With v17.5 the following improvements have been implemented:
- View Windows and Mac system applications in a separate list
- Hide applications and then use a new filter option to show hidden applications and show or hide applications.
- There is also a new option to highlight applications to remove them from the "new" list.
- Improved pathname display
The Log Viewer is one of the things I learned to treasure at XG. Every now and then it's not the fastest, but I'm sure they're working on it. With version 17.5 there is now the possibility to customize the view (custom column selection). You can now choose which columns you really need.
Web Policy Improvements
Imagine a teacher working with his class on a computer and a required website being blocked. In such a situation the admin always had to be called to unlock the site. In SFOS version 17.5 there is now a feature in the web guidelines that allows you to allow authorized users to access blocked websites anyway. So you could give this teacher the possibility to activate this website, domain or category himself via the User Portal.
Each rule receives a code, which he can then share with the class. On the blocked page, the students can then enter this code and temporarily go to the actually blocked website.
As administrators, we then see in a list which codes have been generated and can delete them again. The admin can also define locations or categories which cannot be bypassed by the teachers.
Here are a few more small changes that will be available in SFOS version 17.5 in the web policy:
- Setting a default search engine
- SafeSearch and YouTube Restrictions
- Limiting the file size for downloads
- Google App domain restrictions are all set on a policy-specific basis
Chromebooks are becoming increasingly popular in education and in some corporate environments (since Apple devices are becoming more expensive) 😉. User identification on this operating system is different from other systems and has not been supported by the XG firewall until now. With v17.5, Sophos offers a Chromebook extension that shares Chromebook user IDs with the firewall. This enables policy enforcement and user reporting. However, an Active Directory server is required to synchronize with Google Gsuite. The Chrome extension is launched from the Gsuite management console and provides a simple deployment that is transparent to the user.
Client Authentication Agent
The XG Firewall Client Authentication Agent provides the ability to tell the XG Firewall which user is currently logged on to the computer without Active Directory. To do this, simply run the Client Authentication Agent on the device.
The client is available for Windows, macOS, Linux 32/64 Bit, iOS and Android. The download can be found in the User Portal.
Now there is support for
- the installation per machine (and not per user)
- an option to hide at startup
- an option for the user to explicitly log off.
- automatic reconnection when waking up from sleep mode
- MAC address telemetry sharing to support MAC address filtering
- a new taskbar icon
- Windows XP (for whatever reason this was done)
If you create a new firewall rule, you can now directly assign it to a group. There is also a new automatic group assignment, although it didn't work very well for me. In my tests, the firewall wanted to automatically assign my rule to a group, but I didn't want it in that group.
- At 17.5 it switches back to the Exim Engine, which is also used on the UTM.
- Receiver check via Active Directory
- The web protection of SFOS is now almost identical to that of the UTM operating system.
- Sender Policy Framework (SPF) spoofing protection.
- More categories to optimize the rules even more. Provides better performance and more protection.
- Support for Radius server failover with multiple servers.
- SD-WAN failover and failback
- IPsec failover - Redundant groups for IPsec connections to switch to another WAN link during a failover. As soon as the main connection is available again, you can switch back again.
What can we expect in the next versions?
In the coming weeks / months maintenance releases will be released as usual, which will provide some more features.
Sophos Wireless APX Access Point Support
Sophos's new APX Access Points could only be used with Sophos Central. However, support for the XG firewall is expected in MR1, which will be released approximately 2-4 weeks after the 17.5 release. The APX 120, which will be available for less than 200 CHF, will not be released until January 2019.
There are XG firewalls that are not connected to the Internet. A license activation was unfortunately not possible with these devices so far. There is now an option to download the license and updates to the firewall using a USB stick.