Sophos Firewall v20 MR1 is now available

Credit to Author: Chris McCormack| Date: Wed, 15 May 2024 14:52:03 +0000

We’re pleased to announce the availability of Sophos Firewall v20 MR1. It’s our biggest maintenance release yet, rivaling a major firewall version in terms of new features.

What’s new

Firewall security and access

  • Device access updates provide more granular control over which services are accessible on the WAN, improving your firewall’s security posture (see below for more details)
  • New services added to the Local ACL exceptions list: AD SSO, captive portal, RADIUS SSO, client authentication, Chromebook, wireless, SMTP, RED, and IPsec
  • Added flexibility in access rule exceptions with support for FQDN hosts, host groups, and MAC addresses

OpenVPN upgraded to v2.6.0

  • The OpenVPN module in Sophos Firewall has been upgraded to v2.6.0 to enhance security and performance for SSL VPN. See the details below for incompatibilities and recommended solutions.

SD-WAN and VPN enhancements

  • Scaled SD-WAN minimum traffic disruption with a 4x improvement in gateway availability time during HA failover and device reboot events
  • Remote access SSL VPN now provides an OpenVPN 3.0 client for users to download from the VPN portal
  • IPsec Phase-1 IKEv2 support for GCM and suite-B ciphers, providing better interoperability and throughput
  • DHCP Busybox improvements with a default lease time of 30 seconds to eliminate WAN disconnection issues

Zero-touch deployment

  • True zero-touch deployment of new firewalls is now possible via Sophos Central without the need for a resource on-site with a USB key (more on how to use this below)

Other enhancements

  • New generative-AI assistant for helping with your firewall management (see example below)
  • Localization language auto-detection at login based on browser language selection
  • A new debug file download option
  • New description field for IP, MAC, FQDN, and service objects
  • Improved IPv6 DHCP-PD prefix update
  • New CLI option to bypass system-generated traffic from IPsec site-to-site VPN in the case of “Any” matching criteria
  • New OpenVPN v2.6.0 and StrongSwan v5.9.11 updated

Important note on SSL VPN compatibility

OpenVPN has been upgraded to 2.6.0 in this release version. Firewalls upgraded to v20 MR1 won’t establish SSL VPN tunnels with the following clients and firewall versions:

  • SFOS v18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won’t be established between SFOS v18.5 or earlier versions and SFOS v20.0 MR1. We recommend that you plan an upgrade to v20.0 MR1 for all relevant firewalls at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
  • Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won’t be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as the OpenVPN client, or use remote access IPsec tunnels.
  • UTM9 OS: Site-to-site SSL VPNs won’t be established between UTM9 OS and SFOS 2v0.0 MR1. We recommend that you migrate these devices to v20.0 MR1. Alternatively, you can use site-to-site IPsec or RED tunnels.

Full release notes

How to get the firmware and documentation

Sophos Firewall OS v20 MR1 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that you have all the latest security, reliability, and performance fixes.

This firmware release will follow our standard update process. You can manually download SFOS v20 MR1 from Sophos Central and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v20 MR1 is a fully supported upgrade from all previous versions of v20, v19.5 and v19.0. Please refer to the Upgrade Information tab in the release notes for more details.

Full product documentation is available online and within the product.

Here’s a look at a few of these great new features in detail…

Device access security

Be sure to check out the latest device access enhancements and limit the services you make available on the WAN to improve your security posture:

What’s new:

  • New services added : IPsec/RED
  • ACL exception rule supports new host types: FQDN host, FQDN host group, MAC address, MAC address list
  • ACL exception rules now support new services: AD SSO, captive portal, Radius SSO, client authentication, Chromebook, wireless, SMTP, SNMP, RED, IPsec
  • Device access management page enhancements, with a new VPN service group and added info for exception rules

New zero-touch firewall deployment from Sophos Central

Now you can pre-define, deploy, and then finish the configuration of your remote firewalls without having to do anything on-site other than plug it in.  A USB device is no longer required!

Here’s how it works:

  1. Enter the device serial number in Sophos Central
  2. Preconfigure some essential settings in Sophos Central, such as time zone, LAN, WAN and DHCP settings, and initial protection preferences
  3. Deploy the firewall at the remote location by connecting power and WAN cables – and power it on. The firewall will automatically connect to Sophos Central at start-up and then download and apply the configuration from Step 2.
  4. You can now manage the firewall and finish the setup in Sophos Central

Consult the full documentation for details.

Generative AI firewall assistant

A new generative-AI powered Sophos Assistant is built in to help you with managing your firewall. You can ask the assistant any plain-language question and the assistant will provide instructions and links to helpful resources.

For example, if you want help configuring DNAT, you can simply ask:

And you will not only get a brief set of instructions to help guide you, but also a comprehensive list of resources to do a deeper dive if needed.

Automatic language detection at login

Your language will be automatically selected on the login screen based on your browser preferences.

Overall, this release is a fantastic update to your firewall, and as usual, it’s free for all licensed Sophos Firewall customers. With Sophos, you continue to get tremendous added value with every release.

Keep your firmware up to date

Sophos Firewall integrates an innovative hotfix capability that enables us to push urgent and important patches out to the firewall “over the air” to address any new zero-day vulnerabilities or other critical issues that arise. This enables a rapid fix to be applied without requiring any downtime normally associated with a firmware upgrade and restart. You get the benefit of important fixes being applied immediately without any manual effort on your part.

However, it’s super important to ensure your firewall firmware is kept up to date as non-urgent security fixes are often integrated into maintenance releases. Since all firmware updates are free for licensed Sophos Firewall customers, there’s no reason not to take advantage of all the great enhancements in every release.

http://feeds.feedburner.com/sophos/dgdY