{"id":169631,"date":"2026-05-01T11:57:49","date_gmt":"2026-05-01T10:57:49","guid":{"rendered":"https:\/\/www.avanet.com\/blog\/sophos-firewall-v22-mr1\/"},"modified":"2026-05-05T12:38:22","modified_gmt":"2026-05-05T11:38:22","slug":"sophos-firewall-v22-mr1","status":"publish","type":"post","link":"https:\/\/www.avanet.com\/en\/blog\/sophos-firewall-v22-mr1\/","title":{"rendered":"Sophos Firewall v22 MR1: Overview and all new features"},"content":{"rendered":"\n<p>Sophos Firewall v22 MR1 builds on the secure-by-design strategy introduced with v22 and extends it with additional telemetry, curated NDR detections from the Taegis environment and a few detailed improvements to VPN, SSO and storage. In addition, Sophos Firewall Config Studio V2 is a stand-alone tool that significantly simplifies configuration analysis and comparison. <\/p>\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of contents<\/h2><nav><ul><li class=\"\"><a href=\"#secure-by-design-erweiterter-xdr-linux-sensor\">Secure by design: extended XDR Linux sensor<\/a><\/li><li class=\"\"><a href=\"#ndr-active-threat-intelligence-i-sensor-ips\">NDR Active Threat Intelligence (iSensor IPS)<\/a><\/li><li class=\"\"><a href=\"#ndr-essentials-fur-alle-plattformen\">NDR Essentials for all platforms<\/a><\/li><li class=\"\"><a href=\"#audit-trail-mit-sophos-central-user-identitat\">Audit trail with Sophos Central user identity<\/a><\/li><li class=\"\"><a href=\"#vpn-stabilitat-und-retirement-legacy-i-psec\">VPN stability and retirement legacy IPsec<\/a><\/li><li class=\"\"><a href=\"#sophos-connect-2-0-fur-mac-os\">Sophos Connect 2.0 for macOS<\/a><\/li><li class=\"\"><a href=\"#microsoft-entra-id-sso-erzwungene-re-evaluierung\">Microsoft Entra ID SSO: forced re-evaluation<\/a><\/li><li class=\"\"><a href=\"#ssd-schonung-und-wi-fi-mtu\">SSD protection and Wi-Fi MTU<\/a><\/li><li class=\"\"><a href=\"#sophos-firewall-config-studio-v-2\">Sophos Firewall Config Studio V2<\/a><\/li><li class=\"\"><a href=\"#aktualisierter-cis-benchmark-fur-v-22\">Updated CIS benchmark for v22<\/a><\/li><li class=\"\"><a href=\"#kompatibilitat-und-hinweise\">Compatibility and notes<\/a><\/li><li class=\"\"><a href=\"#fazit\">Conclusion<\/a><\/li><li class=\"\"><a href=\"#quellen\">More information<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\" id=\"secure-by-design-erweiterter-xdr-linux-sensor\">Secure by design: extended XDR Linux sensor<\/h2>\n\n<p>With v22, Sophos has introduced the XDR Linux sensor on the firewall to detect manipulation of the system &#8211; such as configuration files or critical processes &#8211; at an early stage. SFOS v22 MR1 extends the sensor to detect interactive shells and reverse shells. If an attacker attempts to establish a controlling session on the firewall after an intrusion, the associated TCP or UDP communication to the command and control server is blocked. This sensor is now also activated on the entire XGS series &#8211; no longer just on individual models.   <\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Reverse shell detection has been standard on endpoints for years. The fact that the same logic now also runs on the firewall itself is logical and important. In the worst-case scenario, a compromised firewall is a master key to the network &#8211; any additional detection layer directly on the device makes more sense than any downstream correlation.  <\/p>\n<\/blockquote>\n\n<h2 class=\"wp-block-heading\" id=\"ndr-active-threat-intelligence-i-sensor-ips\">NDR Active Threat Intelligence (iSensor IPS)<\/h2>\n\n<p>SFOS v22 MR1 integrates the iSensor IPS technology from the SecureWorks Taegis platform. The detection patterns curated in this way supplement the classic IPS signature set with patterns that are geared towards active attackers in the network &#8211; i.e. lateral movement, C2 communication and comparable activities after an initial intrusion. <\/p>\n\n<p>The set can be activated under <em>Active threat response &gt; NDR<\/em>. The corresponding checkmark must then be set in the IPS settings in the firewall rules for the new detections to take effect. For XDR and MDR analysts, this means more context and shorter investigation paths because the detections target known adversary TTPs directly from the Taegis database.  <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"ndr-essentials-fur-alle-plattformen\">NDR Essentials for all platforms<\/h2>\n\n<p>A question that has been asked repeatedly since v21.5: When will NDR Essentials also support virtual and cloud firewalls? With v22 MR1, this is now the case &#8211; NDR Essentials now runs on all Sophos Firewall platforms, i.e. XGS hardware, virtual appliances, cloud deployments and software installations. This removes the last major restriction that previously excluded virtual setups from NDR protection.  <\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This is the logical continuation of the CPU-oriented architecture from v22. Anyone running a Sophos Firewall on VMware, Hyper-V or a hyperscaler was previously left out of the loop when it came to NDR Essentials &#8211; this gap has now been closed. <\/p>\n<\/blockquote>\n\n<h2 class=\"wp-block-heading\" id=\"audit-trail-mit-sophos-central-user-identitat\">Audit trail with Sophos Central user identity<\/h2>\n\n<p>When a single firewall is configured via Sophos Central, SFOS v22 MR1 now also logs which Sophos Central user triggered the change. Previously, only the generic Central account was often visible in the audit trail. With the new variant, it is now possible to trace the person behind a configuration change &#8211; even if it was not made directly on the web admin of the firewall. The information appears both in the log viewer of the firewall and in the logs and reports of Sophos Central.   <\/p>\n\n<p>This is particularly relevant for NIS2-compliant organizations, as the traceability of administrative interventions is explicitly required there. In MSP environments with several technicians on the same tenant, it is a long overdue detail anyway. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"vpn-stabilitat-und-retirement-legacy-i-psec\">VPN stability and retirement legacy IPsec<\/h2>\n\n<p>SFOS v22 GA had a number of stability issues with policy-based IPsec VPNs, which were addressed in MR1. Specifically, the internal tickets NC-177450, NC-174800, NC-177136, NC-174304, NC-172504, NC-173054 and NC-176083 were fixed. Anyone who has been productive with v22 GA and has noticed dropouts or disconnections in policy-based tunnels should specifically check after the update whether the tunnels are now stable.<\/p>\n\n<p>At the same time, the <strong>Legacy Remote Access IPsec VPN<\/strong> is finally being discontinued with v22 MR1. Firewalls that still rely on this old IPsec variant cannot be updated to v22 MR1 or newer. Anyone affected must first migrate to the current Remote Access IPsec configuration &#8211; Sophos has published a <a href=\"https:\/\/support.sophos.com\/support\/s\/article\/KBA-000046956\" target=\"_blank\" rel=\"noopener\">separate KB article<\/a> on this.  <\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>In practice, the majority of existing setups have long been on the new variant or on SSL VPN. Nevertheless, it is worth checking the configuration briefly before upgrading &#8211; otherwise the update will stop. <\/p>\n<\/blockquote>\n\n<h2 class=\"wp-block-heading\" id=\"sophos-connect-2-0-fur-mac-os\">Sophos Connect 2.0 for macOS<\/h2>\n\n<p>With Sophos Connect 2.0 for macOS, SSL VPN connections can now also be established for remote access. Until now, SSL VPN via Sophos Connect was a Windows privilege, macOS users had to switch to IPsec or use third-party clients. This further equalizes the feature set between the two client platforms. Details and supported macOS versions can be found in the <a href=\"https:\/\/docs.sophos.com\/releasenotes\/output\/en-us\/nsg\/connect_rn.html\" target=\"_blank\" rel=\"noopener\">Sophos Connect release notes<\/a>.   <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"microsoft-entra-id-sso-erzwungene-re-evaluierung\">Microsoft Entra ID SSO: forced re-evaluation<\/h2>\n\n<p>Previously, an existing SSO session could be reused under certain conditions without the conditional access policies in Entra ID being rechecked. In the worst case, this opened up a path to bypass MFA requirements if the session cookies were still valid. SFOS v22 MR1 now forces a re-check of the conditional access policies on session reuse. This is a classic security fix &#8211; not very visible, but important for environments that use Entra ID as a central identity source and rely on MFA.   <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"ssd-schonung-und-wi-fi-mtu\">SSD protection and Wi-Fi MTU<\/h2>\n\n<p>Two minor but useful improvements to details:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>SSD service life<\/strong>: Write processes to the internal SSD have been optimized. This primarily affects devices with a high logging volume and extends the service life of the hardware. <\/li>\n\n\n\n<li><strong>Wi-Fi MTU\/MSS<\/strong>: The existing CLI commands can now also be used to adjust MTU and MSS values for Wi-Fi interfaces. This is a welcome tool in environments with overlapping tunnels or problematic paths in the Wi-Fi backhaul. <\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"sophos-firewall-config-studio-v-2\">Sophos Firewall Config Studio V2<\/h2>\n\n<p>Sophos Firewall Config Studio V2 (previously: Sophos Firewall Configuration Viewer) is a browser-based tool that does much more than its predecessor. It allows three central workflows: <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Configuration Report<\/strong>: All rules, policies and settings of a firewall can be displayed in a consolidated report. Practical for audits, handovers or onboarding new admins. <\/li>\n\n\n\n<li><strong>Configuration Compare<\/strong>: Two configurations can be compared directly. Added, changed, removed and unchanged entries are highlighted visually. This is exactly the tool that is missing for change reviews or troubleshooting after a migration step if you don&#8217;t want to disassemble the firewall during operation.  <\/li>\n\n\n\n<li><strong>Configuration Editor<\/strong>: Configurations can be edited or imported directly in the tool. They can then be loaded back into the firewall or exported as an API or curl snippet &#8211; for example to automatically roll out changes. <\/li>\n<\/ul>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>A configuration diff directly in the browser is a function that has been requested for years. Anyone who has ever tried to manually read two Sophos backups against each other knows why this tool is a real step forward. It will be interesting to see how stable the editor is with large configurations and how well the API export can be integrated into existing automation pipelines.  <\/p>\n<\/blockquote>\n\n<p>The tool can be accessed via <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/config-studio\/index.html\" target=\"_blank\" rel=\"noopener\">docs.sophos.com<\/a>.<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"aktualisierter-cis-benchmark-fur-v-22\">Updated CIS benchmark for v22<\/h2>\n\n<p>The Health Check introduced with v22 is based on the CIS benchmarks. The underlying benchmarks have been updated for v22 and are available for download on the CIS website. Anyone using the Health Check as part of internal audits should use the new version as a reference.  <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"kompatibilitat-und-hinweise\">Compatibility and notes<\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong>Legacy Remote Access IPsec VPN<\/strong>: Will be discontinued with v22 MR1. Migration to the current Remote Access IPsec configuration is a prerequisite for the upgrade. <\/li>\n\n\n\n<li><strong>Upgrade paths<\/strong>: SFOS v22 MR1 can be upgraded from all supported v21.5, v21 and v20 versions. Sophos Central can schedule and control the upgrade. <\/li>\n\n\n\n<li><strong>Backup before upgrade<\/strong>: As always, make a complete backup before the update and have a rollback plan ready.<\/li>\n\n\n\n<li><strong>Hotfix mechanism<\/strong>: Security-relevant patches continue to be released as over-the-air hotfixes without downtime. However, maintenance releases also bundle non-critical fixes &#8211; so an upgrade is worthwhile even without an acute reason. <\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"fazit\">Conclusion<\/h2>\n\n<p>Sophos Firewall v22 MR1 is a solid maintenance release. The most important points from our point of view: the VPN stability fixes for policy-based IPsec, the extended NDR essentials support on virtual platforms and the new audit trail with Sophos Central User Identity. Reverse shell detection on the firewall itself and the curated iSensor detections from the Taegis environment fit well into the line Sophos has taken with v22 &#8211; the firewall is gradually becoming a sensor platform that provides telemetry and not just filters packets.  <\/p>\n\n<p>What we are still missing has not changed since v22: the cloning and grouping of NAT rules. The <a href=\"https:\/\/www.avanet.com\/en\/blog\/sophos-firewall-feature-request\/\">wishes formulated around a year ago<\/a> have been partially implemented, the rest is still on the list. Perhaps in the next MR or in v23 at the latest, but perhaps Sophos will now pursue the strategy of outsourcing everything to the Sophos Firewall Config Studio and the firewall will remain as it is.   <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"quellen\">More information<\/h2>\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/community.sophos.com\/sophos-xg-firewall\/b\/blog\/posts\/sophos-firewall-v22-mr1-is-now-available\" target=\"_blank\" rel=\"noopener\">Sophos Community: Sophos Firewall v22 MR1 is Now Available<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/support.sophos.com\/support\/s\/article\/KBA-000046956\" target=\"_blank\" rel=\"noopener\">Sophos KB: Retirement of the legacy IPsec remote access VPN in SFOS 22.0 MR1<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/config-studio\/index.html\" target=\"_blank\" rel=\"noopener\">Sophos Firewall Config Studio documentation<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Sophos Firewall v22 MR1 builds on the secure-by-design strategy introduced with v22 and extends it with additional telemetry, curated NDR detections from the Taegis environment and a few detailed improvements to VPN, SSO and storage. In addition, Sophos Firewall Config Studio V2 is a stand-alone tool that significantly simplifies configuration analysis and comparison. Secure by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":169099,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[277],"tags":[],"class_list":["post-169631","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/posts\/169631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/comments?post=169631"}],"version-history":[{"count":0,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/posts\/169631\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media\/169099"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=169631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/categories?post=169631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/tags?post=169631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}