Sophos Firewall OS v19 was released just a few months ago, and has already been adopted by a huge number of partners and customers.
They’ve upgraded to take advantage of the many Xstream SD-WAN and VPN enhancements. This latest update, v19 MR1, brings a number of additional enhancements and fixes to what is already one of our best firewall updates ever.
VPN and SD-WAN enhancements
- SSLVPN remote access – static IP lease support to enable mapping of remote users with static IP addresses to improve user traceability, monitoring and visibility. This also includes static IP leases with an external Radius server.
- IPsec VPN enhancements – includes adding default IPsec site-to-site IKEv2 policies for improved head office to branch office tunnels, eliminating manual fine tuning for re-key interval, dead peer detection (DPD) action, and key negotiation. Defaults were also updated to prevent flapping of UDP connections (VoIP, Skype, RDP, Zoom, etc.). Also disabled “vpn conn-remove-tunnel-up” and enabled “vpn conn-remove-on-failover” for new configuration (but does not impact existing deployments).
- SD-RED – now supports multiple DHCP servers for RED interfaces
- SD-WAN Profiles – The Rule-ID and index column are added on the SD-WAN profile management page for easier troubleshooting
- Anti-malware engine – anti-malware engines and associated components were upgraded to full 64-bit operation to provide optimal performance and future support. Note that the secondary malware scan engine, Avira, will no longer provide detection updates for the 32-bit version after December 31, 2022. Anyone using Avira will need to upgrade to v19 MR1 or v18.5 MR5 (to be released soon) before the end of the year or switch to just using the Sophos engine.
- Synchronized Security – improved Sophos Central Firewall Management resilience in environments with thousands of endpoint certificates being used for Synchronized Security Heartbeat.
- Email – added an option to report a spam email as a false positive from the quarantine release screen
- Sophos Assistant – added an option to opt-out of the Sophos Assistant
- Additional fixes – over 50+ additional performance, stability, and security fixes and enhancements are also included
See the release notes for full details.
Important licensing change for future firmware updates
As covered in this recent community blog post, SFOS v19 MR1 introduces a support requirement for firmware upgrades which will come into effect for customers without a valid support subscription after they’ve used an initial free upgrade allocation.
- No change for customers with a valid support subscription (about 80% of customers)
- Future action will be required by the remaining 20% who do not have a support subscription, but also no immediate change
How to get it
This release will follow our regular Firewall firmware release process and timeline.