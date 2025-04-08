We’re pleased to announce that the early access program (EAP) is now underway for the latest Sophos Firewall release. This update brings exciting industry-first enhancements and top-requested features, including…

Sophos NDR Essentials integration

Sophos Firewall customers with Xstream Protection now get Sophos NDR Essentials in the cloud, for no extra charge, significantly bolstering network protection:

Sophos NDR Essentials can detect active adversaries using encryption without using TLS decryption thanks to AI Convolutional Neural Network (CNN) analysis. Sophos NDR Essentials can also detect advanced domain generation algorithms that try to evade normal DNS and web filtering.

Sophos NDR Essentials delivers a new layer of protection, and since it’s cloud-hosted by Sophos, it doesn’t impact your firewall performance at all – further strengthening our industry leading performance and protection. Review the What’s New Guide for full details.

Entra ID (Azure AD) single sign-on for remote access VPN

One of your top requested features makes remote access VPN easier for end users, enabling them to use their corporate network credentials with the Sophos Connect client and the firewall VPN portal:

Entra ID (Azure AD) single-sign on integration with Sophos Connect and the VPN portal is now included in SFOS v21.5

It provides cloud-native integration over the industry standard OAuth 2.0 and OpenID Connect protocols for a seamless experience

Supported with Sophos Connect client 2.4 (and later) on Microsoft Windows

Other VPN and scalability enhancements

User interface and usability enhancements: Connection types have been renamed from “site-to-site” to “policy-based,” and tunnel interfaces have been renamed to “route-based” to make these more intuitive

Improved IP lease pool validation: Across SSLVPN, IPsec, L2TP, and PPTP remote access VPN to eliminate potential IP conflicts

Strict profile enforcement: On IPsec profiles that exclude default values to ensure a successful handshake, eliminating potential packet fragmentation and tunnels failing to establish properly

Route-based VPN scalability: Route-based VPN capacity is doubled with support for up to 3,000 tunnels

SD-RED scalability: Sophos Firewalls now support up to 1,000 site-to-site RED tunnels and up to 650 SD-RED devices.

Sophos DNS Protection

Last year, we launched our DNS Protection service and made it free for all Xstream Protection-licensed firewall customers. With this release, Sophos DNS Protection gets further integration with Sophos Firewall:

New control center widget to indicate service status

New troubleshooting insights via logging and notifications

New guided tutorial on how to set up Sophos DNS Protection easily

Streamlined management and quality-of-life enhancements

As with every Sophos Firewall release, this version includes several quality-of-life enhancements that make day-to-day management easier:

Resizable table columns: A long-requested feature, many firewall status and configuration screens now support resizable column widths that are retained in browser memory for subsequent visits. Many screens such as SD-WAN, NAT, SSL, Hosts and services, and site-to-site VPN, all benefit from this new feature.

Extended free text search: SD-WAN routes now enable searching by route name, ID, objects, and object values like IP addresses, domains, or other criteria. Local ACL rules also now support searching by object name and value, including content-based search.

Default configuration: By popular demand, the default firewall rules and rule group previously created when setting up a new firewall have been removed with only the default network rule and MTA rules provided during initial setup. The default firewall rule group and the default gateway probing for custom gateways are both set to “None” by default.

New font: The Sophos Firewall user interface now sports a new lighter, cleaner, sharper font for added readability and improved performance

Other enhancements

Virtual, software, cloud licensing: In case you missed it, all Sophos Firewall virtual, software, and cloud licenses (BYOL) no longer have RAM limits. Licenses are now strictly limited by core count and have no RAM restrictions.

Larger file size limit in WAF: Supports a configurable request (upload) file size limit for Web Application Firewall (WAF), which can now scan files up to 1 GB

Secure by design: We are continually improving the security of Sophos Firewall, and in this release are adding real-time telemetry gathering to flag any unexpected changes to core OS files using secure hash validation. This will enable our monitoring teams to proactively identify potential security incidents early before they can become a real problem.

DHCP prefix delegation relaxation: Now supports /48 to /64 prefixes, improving interoperability with ISPs. Router advertisements (RA) and the DHCPv6 server are also now enabled by default.

Path MTU discovery: This will resolve TLS decryption errors due to the latest ML-KEM (Kyber) key exchange support in browsers. The Sophos Firewall deep packet inspection engine will now automatically detect and adjust the MTU for each flow, ensuring optimal performance based on specific network conditions.

NAT64 (IPv6 to IPv4 traffic): NAT64 is supported for IPv6 to IPv4 traffic in explicit proxy mode. In this mode, IPv6-only clients can access IPv4 websites. The firewall also supports IPv4 upstream proxy for IPv6-only clients.

Get the full details

Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v21.5.

Get started today

You can download the upgrade package or installer for v21.5 from the Sophos Firewall v21.5 EAP Registration Page. Simply submit your details and the download links will be emailed to you straight away.

All support during the EAP will be through our forums on the Sophos Firewall Community.

Please provide feedback using the option at the top of every screen in your Sophos Firewall as shown below or via the Community Forums.

Thanks for your support in helping make this release the best it can be!