We are excited to let you know that the latest version of Sophos Firewall, v20 MR1, is now accessible. This release marks a significant milestone in terms of maintenance updates, equating to the magnitude of advancements typically seen in major firewall versions.
Key Improvements
Enhancements in Firewall Security and Access
- Enhanced device access management provides a more detailed control mechanism over WAN-accessible services, contributing to bolstering the security framework of your firewall (refer to the details below)
- Additional services have been incorporated into the Local ACL exceptions list, including AD SSO, captive portal, RADIUS SSO, client authentication, Chromebook, wireless, SMTP, RED, and IPsec
- Increased flexibility in access rule exceptions, now supporting FQDN hosts, host groups, and MAC addresses
Upgrade to OpenVPN v2.6.0
- The OpenVPN module within Sophos Firewall has been updated to version 2.6.0 to enhance the security and efficiency of SSL VPN. For details on incompatibilities and recommended solutions, please see below.
Enhancements in SD-WAN and VPN
- Improved SD-WAN functionality to minimize traffic disruptions with a 4x enhancement in gateway availability time during HA failover and device reboot scenarios
- Remote access SSL VPN now offers an OpenVPN 3.0 client for users to download via the VPN portal
- Support for IPsec Phase-1 IKEv2 with GCM and suite-B ciphers, leading to improved interoperability and throughput
- Enhancements in DHCP Busybox with a default lease time of 30 seconds to address WAN disconnection concerns
Zero-Touch Deployment
- Complete zero-touch deployment of new firewalls is now attainable through Sophos Central, eliminating the necessity for an on-site resource with a USB key (further details on usage below)
Other Enhancements
- Introduction of a generative-AI assistant to aid in firewall management (see illustration below)
- Automatic localization language detection during login based on browser language selection
- Introduction of a new debug file download option
- Additional description field for IP, MAC, FQDN, and service objects
- Enhanced IPv6 DHCP-PD prefix update
- New CLI option to bypass system-generated traffic from IPsec site-to-site VPN for “Any” matching criteria scenarios
- Updated versions of OpenVPN v2.6.0 and StrongSwan v5.9.11
Important Note on SSL VPN Compatibility
With the introduction of OpenVPN v2.6.0 in this release, firewalls upgraded to v20 MR1 will not establish SSL VPN tunnels with certain clients and firewall versions. Please find detailed information below:
- SFOS v18.5 and prior versions (end-of-life): Site-to-site SSL VPNs will not be established between SFOS v18.5 or earlier versions and SFOS v20.0 MR1. It is recommended to plan an upgrade to v20.0 MR1 for all relevant firewalls simultaneously. Alternatively, you can utilize site-to-site IPsec or RED tunnels.
- Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels will not be established through the legacy SSL VPN client, which has reached end-of-life. You may consider using the Sophos Connect client or third-party clients like the OpenVPN client or resort to remote access IPsec tunnels.
- UTM9 OS: Site-to-site SSL VPNs will not be established between UTM9 OS and SFOS 2v0.0 MR1. It is advised to migrate these devices to v20.0 MR1. Otherwise, you can resort to utilizing site-to-site IPsec or RED tunnels.
Read the complete release notes here
Accessing the Firmware and Documentation
Sophos Firewall OS v20 MR1 is a complimentary upgrade for all licensed customers of Sophos Firewall and should be installed on all supported firewall devices promptly to ensure you benefit from the latest security enhancements, reliability, and performance improvements.
This firmware update will adhere to our standard updating process. You have the option to manually download SFOS v20 MR1 from Sophos Central and perform the update whenever convenient. Alternatively, the update will be automatically distributed to all connected devices in the following weeks. You will receive a notification on either your local device or Sophos Central management console once the update is available, granting you the flexibility to schedule the update as per your convenience.
Sophos Firewall OS v20 MR1 is fully compatible for upgrade from all prior versions of v20, v19.5, and v19.0. For additional details, please refer to the Upgrade Information section in the release notes.
Comprehensive product documentation is accessible both online and within the product.
Explore some of these impressive new features in more detail…
Enhanced Device Access Security
Review the latest device access upgrades to restrict the services available on the WAN and enhance your security protocols:
What’s Fresh:
- Inclusion of new services: IPsec/RED
- ACL exception rules now accommodate new host types: FQDN host, FQDN host group, MAC address, MAC address list
- ACL exception rules now support additional services: AD SSO, captive portal, Radius SSO, client authentication, Chromebook, wireless, SMTP, SNMP, RED, IPsec
- Enhancements on the device access management page, incorporating a new VPN service group and increased information on exception rules
Streamlined Zero-Touch Firewall Deployment from Sophos Central
You can now predetermine, deploy, and finalize the configuration of your remote firewalls without having to conduct any on-site operations other than connecting it. The use of a USB device is no longer necessary!
Here’s the procedure:
- Input the device serial number in Sophos Central
- Configure essential settings in Sophos Central, such as time zone, LAN, WAN, DHCP settings, and initial protection preferences
- Position the firewall at the remote site by connecting power and WAN cables – power it on. The firewall will automatically establish a connection with Sophos Central during startup and retrieve the configuration from Step 2.
- You can now oversee firewall management and complete the setup in Sophos Central
Refer to theComplete documentation can be found for further information.
Artificial Intelligence-based firewall assistant
The innovative Generative AI-powered Sophos Assistant is here to assist you in managing your firewall efficiently. Just present your queries in plain language to the assistant, and it will offer guidance and direct you to relevant resources.
For instance, if you require assistance with DNAT configurations, simply ask the assistant:
You will receive concise instructions and a plethora of resources to explore further when needed.
Automatic browser language detection during login
Based on your browser settings, your preferred language will automatically be selected on the login screen.
This new firewall update is an excellent enhancement, and as always, it is provided at no cost for all licensed Sophos Firewall users. With Sophos, you consistently receive exceptional value with each release.
Ensure your firmware stays current
The Sophos Firewall incorporates an advanced hotfix feature that allows immediate deployment of critical patches to address emerging zero-day vulnerabilities or other essential concerns “over the air,” without requiring any downtime typically associated with a firmware upgrade and reboot. This feature enables quick fixes without any manual intervention from your end.
Nevertheless, it is crucial to keep your firewall firmware up to date as non-urgent security fixes are frequently included in maintenance updates. Since all firmware updates are complimentary for licensed Sophos Firewall customers, there is every reason to leverage the remarkable enhancements in every release.
About Author
