VPN enhancements in SFOS v19
Credit to Author: Chris McCormack| Date: Wed, 30 Mar 2022 15:24:30 +0000
Sophos Firewall OS v19 includes several new innovations. In this article, we cover a variety of enhancements that have been made to VPN management and operation to help make orchestrating your SD-WAN overlay networks, site-to-site VPN tunnels, and remote-access VPN much easier.
Central VPN orchestration
Sophos Firewall OS v19 takes full advantage of the recently updated SD-WAN VPN orchestration capabilities in Sophos Central, which provide a quick and easy way to define complex overlay networks with just a few clicks:
- You simply select the firewalls you have under management that you wish to participate in the SD-WAN connection group
- Then select the network resources you wish every site to have access to
- With the flip of a switch, you watch your SD-WAN VPN overlay network come to life as all the necessary firewall access rules and tunnels are created for you automatically
Check out this quick video overview to see how easy it can be to create full mesh, hub-and-spoke, or anything in between – now with full tunnel redundancy and failover options:
On-box VPN management
If you’re managing your VPN overlay networks directly on your firewall, SFOS v19 makes it a lot more intuitive and easier as well.
Remote access and site-to-site VPN now have their own main menu entries, making it easier to find what you’re looking for.
Submenus have been added to IPsec, SSL, and LT2P tabs to provide quick access to settings, client downloads, and the log viewer.
IPsec policies have been renamed to profiles and have been moved to the System > Profiles area of the system but are hyperlinked from the IPsec configuration screen as shown for quick access.
SSL Remote Access now includes a new wizard assistant to greatly streamline and easily configure everything required for remote access.
Clientless polices, bookmarks, and bookmark groups have all been consolidated onto a single tab.
A new tab has been added for easy setup of Amazon Web Services VPC tunnels (which we will cover in the next article in this series).
Watch this video for a detailed look at all the user interface enhancements:
VPN operational enhancements in v19
Several additional enhancements have been made to VPN operations in Sophos Firewall OS v19:
- Custom policy support for IPSEC RA:
- Helps address a potential PCI compliance issue with the default IPsec RA policy
- Enables the configuration of a custom rekey time to avoid regular MFA prompts every four hours
- Adds a new option to increase idle timeout from 10 minutes up to 6 hours
- Route-based VPN (RBVPN) enhancements:
- Added support for static multicast routes
- Support traffic selectors in route-based VPNs (RBVPN)
- Supports the definition of traffic selectors within a specific RBVPN, which only permits traffic through the tunnel if the traffic matches the specified pair of local and remote addresses
- GCM and Suite-B cipher suite support for IPsec
- AES-GCM for IPSec significantly improves IPsec VPN performance
- SSL VPN:
- Upgrades Open VPN / Open SSL
- Default TLS 1.3 support on SSL VPN tunnels
- AES-NI path enabled
- GCM Encryption support for SSL VPN
VPN logging enhancements
A new log viewer module selection for VPN is available, making it easy to monitor and troubleshoot VPN connections for both remote access and site to site type tunnels using either IPsec or SSL.
Also, IPsec logging messages are enriched with more details for better understanding.