We are excited to announce the initiation of the early access program (EAP) for the most recent release of Sophos Firewall. The update introduces innovative enhancements and features that have been highly requested, including…
Integration of Sophos NDR Essentials
Customers of Sophos Firewall with Xstream Protection now have access to Sophos NDR Essentials in the cloud at no additional cost, significantly enhancing network security:
Utilizing AI Convolutional Neural Network (CNN) analysis, Sophos NDR Essentials can identify active threats using encryption without relying on TLS decryption. Additionally, it can detect sophisticated domain generation algorithms that attempt to bypass conventional DNS and web filtering methods.
Offering an additional layer of security, Sophos NDR Essentials is cloud-hosted by Sophos, ensuring no impact on firewall performance and further solidifying our position as a leader in performance and security. Refer to the Comprehensive Guide to New Features for more details.
Entra ID (Azure AD) Single Sign-On for Remote Access VPN
A highly anticipated feature is now available, making remote access VPN simpler for end users by allowing them to utilize their corporate network credentials with the Sophos Connect client and the firewall VPN portal:
- Integration of Entra ID (Azure AD) single sign-on with Sophos Connect and the VPN portal is now incorporated in SFOS v21.5
- This integration offers seamless cloud-native compatibility through the industry-standard OAuth 2.0 and OpenID Connect protocols
- Supported on Microsoft Windows with Sophos Connect client 2.4 (and later)
Additional VPN and Scalability Improvements
- Enhancements in user interface and usability: Renaming of connection types from “site-to-site” to “policy-based,” and tunnel interfaces to “route-based” for improved clarity
- Enhanced IP lease pool validation: Improved validation across SSLVPN, IPsec, L2TP, and PPTP remote access VPN to prevent potential IP conflicts
- Strict enforcement of profiles: Ensuring successful handshake on IPsec profiles by excluding default values, mitigating potential packet fragmentation and preventing tunnel establishment failures
- Increased scalability of route-based VPN: Support for up to 3,000 tunnels with route-based VPN
- Enhanced SD-RED scalability: Sophos Firewalls now support up to 1,000 site-to-site RED tunnels and up to 650 SD-RED devices.
Integration of Sophos DNS Protection
Building upon last year’s introduction of DNS Protection service, now free for all Xstream Protection-licensed firewall customers, Sophos DNS Protection is now further integrated with Sophos Firewall:
- Inclusion of a new control center widget indicating service status
- Additional troubleshooting insights through logging and notifications
- Guided tutorial on setting up Sophos DNS Protection effortlessly
Enhanced Management Experience and Quality-of-Life Improvements
Continuing the trend of Sophos Firewall releases, this version incorporates several quality-of-life enhancements that enhance day-to-day management:
- Resizable table columns: Many firewall status and configuration screens now support resizable column widths that are retained in browser memory for future visits, including SD-WAN, NAT, SSL, Hosts and services, and site-to-site VPN screens
- Expanded free text search functionality: Enhanced search capabilities by route name, ID, objects, and object values such as IP addresses, domains, and other criteria for SD-WAN routes. Local ACL rules now support searching by object name and value, enabling content-based searches.
- Default configuration adjustments: Default firewall rules and rule groups created during new firewall setup have been eliminated, with only the default network rule and MTA rules provided during initial setup. The default firewall rule group and default gateway probing for custom gateways are both set to “None” by default.
- Introduction of a new font: The Sophos Firewall user interface now features a new, lighter font for improved readability and performance
Other Enhancements
- Virtual, software, and cloud licensing: As highlighted previously, Sophos Firewall virtual, software, and cloud licenses (BYOL) now have no RAM limitations, strictly based on core count with no RAM constraints
- Increased file size limit in WAF: Added support for configurable request (upload) file size limits of up to 1 GB for Web Application Firewall (WAF), enabling scanning of larger files
- Emphasis on security: Improved security measures on Sophos Firewall, including real-time telemetry collection to identify any unexpected changes to core OS files using secure hash validation for proactive detection of potential security incidents
- Relaxation of DHCP prefix delegation: Support for /48 to /64 prefixes, enhancing compatibility with ISPs. Router advertisements (RA) and the DHCPv6 server are now enabled by default
- Path MTU discovery: Addressing TLS decryption errors related to the latest ML-KEM (Kyber) key exchange in browsers by automatically detecting and adjusting the MTU for each flow, optimizing performance based on network conditions
- NAT64 (IPv6 to IPv4 traffic): Implicit proxy mode support for NAT64 in IPv6 to IPv4 traffic, allowing IPv6-only clients to access IPv4 websites. Additionally, the firewall supports IPv4 upstream proxy for IPv6-only clients
Access the Complete Details
For a comprehensive overview of all the new features and enhancements in v21.5, download the complete What’s New Guide.
Begin Today
To get started with version 21.5, download the upgrade package or installer from the Sophos Firewall v21.5 EAP Registration Page. Simply provide your details, and the download links will be sent to you promptly via email.
All support during the EAP phase will be available through our forums on the Sophos Firewall Community.
We welcome your feedback, which can be submitted by using the option located at the top of each screen on your Sophos Firewall, illustrated below or through the Community Forums.
We appreciate your support in enhancing this release to its fullest potential!
About Author
