We’re happy to announce the provision of Sophos Firewall v20 MR1. It’s our greatest upkeep launch but, rivaling a serious firewall model by way of new options.
What’s new
Firewall safety and entry
- System entry updates present extra granular management over which providers are accessible on the WAN, enhancing your firewall’s safety posture (see under for extra particulars)
- New providers added to the Native ACL exceptions checklist: AD SSO, captive portal, RADIUS SSO, consumer authentication, Chromebook, wi-fi, SMTP, RED, and IPsec
- Added flexibility in entry rule exceptions with help for FQDN hosts, host teams, and MAC addresses
OpenVPN upgraded to v2.6.0
- The OpenVPN module in Sophos Firewall has been upgraded to v2.6.0 to boost safety and efficiency for SSL VPN. See the main points under for incompatibilities and really useful options.
SD-WAN and VPN enhancements
- Scaled SD-WAN minimal visitors disruption with a 4x enchancment in gateway availability time throughout HA failover and system reboot occasions
- Distant entry SSL VPN now offers an OpenVPN 3.0 consumer for customers to obtain from the VPN portal
- IPsec Section-1 IKEv2 help for GCM and suite-B ciphers, offering higher interoperability and throughput
- DHCP Busybox enhancements with a default lease time of 30 seconds to get rid of WAN disconnection points
Zero-touch deployment
- True zero-touch deployment of recent firewalls is now attainable through Sophos Central with out the necessity for a useful resource on-site with a USB key (extra on tips on how to use this under)
Different enhancements
- New generative-AI assistant for serving to along with your firewall administration (see instance under)
- Localization language auto-detection at login based mostly on browser language choice
- A brand new debug file obtain possibility
- New description subject for IP, MAC, FQDN, and repair objects
- Improved IPv6 DHCP-PD prefix replace
- New CLI choice to bypass system-generated visitors from IPsec site-to-site VPN within the case of “Any” matching standards
- New OpenVPN v2.6.0 and StrongSwan v5.9.11 up to date
Necessary notice on SSL VPN compatibility
OpenVPN has been upgraded to 2.6.0 on this launch model. Firewalls upgraded to v20 MR1 gained’t set up SSL VPN tunnels with the next purchasers and firewall variations:
- SFOS v18.5 and earlier variations (end-of-life): Web site-to-site SSL VPNs gained’t be established between SFOS v18.5 or earlier variations and SFOS v20.0 MR1. We advocate that you just plan an improve to v20.0 MR1 for all related firewalls on the identical time. Alternatively, you need to use site-to-site IPsec or RED tunnels.
- Legacy SSL VPN consumer (end-of-life): Distant entry SSL VPN tunnels gained’t be established with the legacy SSL VPN consumer, which is already end-of-life. You should use the Sophos Join consumer or third-party purchasers, such because the OpenVPN consumer, or use distant entry IPsec tunnels.
- UTM9 OS: Web site-to-site SSL VPNs gained’t be established between UTM9 OS and SFOS 2v0.0 MR1. We advocate that you just migrate these gadgets to v20.0 MR1. Alternatively, you need to use site-to-site IPsec or RED tunnels.
get the firmware and documentation
Sophos Firewall OS v20 MR1 is a free improve for all licensed Sophos Firewall clients and needs to be utilized to all supported firewall gadgets as quickly as attainable to make sure that you may have all the newest safety, reliability, and efficiency fixes.
This firmware launch will observe our customary replace course of. You’ll be able to manually obtain SFOS v20 MR1 from Sophos Central and replace anytime. In any other case, will probably be rolled out to all linked gadgets over the approaching weeks. A notification will seem in your native system or Sophos Central administration console when the replace is out there, permitting you to schedule the replace at your comfort.
Sophos Firewall OS v20 MR1 is a totally supported improve from all earlier variations of v20, v19.5 and v19.0. Please seek advice from the Improve Info tab within the launch notes for extra particulars.
Full product documentation is out there on-line and throughout the product.
Right here’s a take a look at a couple of of those nice new options intimately…
System entry safety
Remember to take a look at the newest system entry enhancements and restrict the providers you make out there on the WAN to enhance your safety posture:
What’s new:
- New providers added : IPsec/RED
- ACL exception rule helps new host varieties: FQDN host, FQDN host group, MAC handle, MAC handle checklist
- ACL exception guidelines now help new providers: AD SSO, captive portal, Radius SSO, consumer authentication, Chromebook, wi-fi, SMTP, SNMP, RED, IPsec
- System entry administration web page enhancements, with a brand new VPN service group and added information for exception guidelines
New zero-touch firewall deployment from Sophos Central
Now you may pre-define, deploy, after which end the configuration of your distant firewalls with out having to do something on-site aside from plug it in. A USB system is now not required!
Right here’s the way it works:
- Enter the system serial quantity in Sophos Central
- Preconfigure some important settings in Sophos Central, equivalent to time zone, LAN, WAN and DHCP settings, and preliminary safety preferences
- Deploy the firewall on the distant location by connecting energy and WAN cables – and energy it on. The firewall will robotically connect with Sophos Central at start-up after which obtain and apply the configuration from Step 2.
- Now you can handle the firewall and end the setup in Sophos Central
Seek the advice of the full documentation for particulars.
Generative AI firewall assistant
A brand new generative-AI powered Sophos Assistant is inbuilt that will help you with managing your firewall. You’ll be able to ask the assistant any plain-language query and the assistant will present directions and hyperlinks to useful sources.
For instance, in order for you assist configuring DNAT, you may merely ask:
And you’ll not solely get a quick set of directions to assist information you, but additionally a complete checklist of sources to do a deeper dive if wanted.
Automated language detection at login
Your language shall be robotically chosen on the login display based mostly in your browser preferences.
Total, this launch is a incredible replace to your firewall, and as traditional, it’s free for all licensed Sophos Firewall clients. With Sophos, you proceed to get great added worth with each launch.
Preserve your firmware updated
Sophos Firewall integrates an revolutionary hotfix functionality that permits us to push pressing and essential patches out to the firewall “over the air” to handle any new zero-day vulnerabilities or different crucial points that come up. This allows a speedy repair to be utilized with out requiring any downtime usually related to a firmware improve and restart. You get the advantage of essential fixes being utilized instantly with none handbook effort in your half.
Nevertheless, it’s tremendous essential to make sure your firewall firmware is saved updated as non-urgent safety fixes are sometimes built-in into upkeep releases. Since all firmware updates are free for licensed Sophos Firewall clients, there’s no cause to not benefit from all the good enhancements in each launch.