The Firewall Health Check: Optimizing your Security Setup webinar is focused on sharing best practices while highlighting important features within Sophos Firewall.
Please find resources, answers to the questions asked, and the link to the webinar recording below.
Webinar recording
You can access the recording here
Related Resources
Questions and Answers
Q: How can we block unauthorized connections to IPsec VPN?
A: It can be done at the global level via Local ACL rule found under device access. Disable the IPsec service from WAN Zone and under the ACL rule allow for specific Public IP addresses to connect. You can find more information here.
Q: In SFOS v21, do we need to change SSL VPN clients or certificates or is it seamless? This wasn't the case with v19 to v20?
A: It's seamless and automated with the Sophos connect client. You can find more information here.
Q: How can we tell if the configuration of IPSec VPN or site to site VPN is working properly?
A: We recommend reviewing this documentation for more information.
Q: Is there a way to create a Firewall rule using Wifi SSID?
A: Yes – Create a Zone based rule in which SSID is associated (So it could be a Wifi to WAN rule where your SSID is part of Wifi Zone)
Q: When deleting Authentication use, a firewall rule, VPN connection, web policy rule, or SSL/TLS inspection rule may exist for the user. Is there an easy way to locate which rule/policy they are included with?
A: Not at this time, while we will take this as feature request. Right now, there isn’t an easy way to identify this.
Q: Will the configuration on the XG series be smoothly imported into the XGS series?
A: We recommend reviewing our documentation on the XG transition. Overall though, with the backup and restore process, you can migrate your XG configuration to the equivalent XGS model fairly smoothly.
Q: I have a few SOPHOS SG systems. What do I need to do to migrate properly to XGS?
A: Please reach out to Sophos Support with the backup file of the UTM to migrate to XGS. There are a few differences on what can be migrated and what cannot be migrated.
Q: Can we have more details on the ZTNA changes – what are the new features/services?
A: For more details on the ZTNA changes, we recommend reviewing this documentation.
Q: What happens if a Sophos license is expires? Will the firewall still be usable?
A: Yes, but the security features will no longer work. You can find more information here.
Q: Is v21 available for XGS 136 yet? If it is and we're not seeing it as an option to update, what should we do?
A: As with all Sophos updates, we will be doing staged roll out for customers. You can log into Sophos central and under firewall license you can check if the firmware is available for you or not.
Q: Can we update the XG model to XGS before the license renewal date? We leverage XG 135.
A: Yes, you can. We recommend reviewing this Frequently Asked Questions page about the XG to XGS transition.
Q: At the reports section, my SGX2100 shows no record found. How can I retrieve these records? Do we need to enable other loggings?
A: Please review this documentation for more information. For further support we recommend connecting with Sophos Support.
Q: Is SD RED going to have any issues with the EOL XG?
A: You should connect your SD RED to the new XGS. After the End-Of-Life date, XG will have the base license expired so it will not work.
Q: Regarding Sophos Firewall Reports(Logs), is there an auto purge option once they are transferred to Sophos Central? I needed to do this manually when I reached 80% of the disk of my Sophos Firewall XGS2300.
A: There is no automated approach. Once you have identified which module of logs is filled up quickly you can g ahead and change the log retention period of that module on the firewall. You can find more information here.
Q: Can XGS connect to azzure IPsec easier?
A: Yes. IKEv2 is supported with route-based VPN.
Q: What are the best practices for upgrading to Sophos XGS firewall? Do I need to do it step by step or just upgrade it to latest version?
A: Please check the backup restore compatibility before upgrading to a major version. For example, v19 to v21 directly. You can find more information here.
Q: Will our existing XG firewalls and associated subscriptions stop working after the March 2025 EOL date?
A: Sophos Firewall XG series deployments that still have a valid license and subscriptions will continue to run after the end-of-life date, but over time functionality and security will be degraded.
Q: How long does Sophos store the local logs?
A: Log Viwer logs will be stored for 7 days. You can find more information here.
Q: For the firmware upgrades, can you please explain GA, feature release, and MR?
A: GA is globally available which is used for major firmware release like V21 GA. After that normal releases will be called a Maintenance release or MR.
Q: Can you provide the latest complete API documentation?
A: You can find the latest API documentation here.
Q: Can I receive alert notifications from users SSL VPN and additionally from source IP?
A: You can connect to Syslog server. You can find more information here.
Q: What is the best practice to protect our internal network against the ransomware attacks? Currently, we're using XGS 2100 firewall.
A: For more information on Firewall hardening best practices, please review this documentation.
Q: Does Sophos Firewall work with AI?
A: Not at this time.
Q: We have Sophos XGS 3100. Can we connect with SD WAN to Azure?
A: Yes. You can connect SD WAN to Azure.
Q: On our side we have 2 XG Firewalls, both are connected to fortigate ngfw. One unit of the XG is able to connect at 100Mbps, but the other one is only able to get 10Mbps. How can we fix this issue?
A: Please check if the Interface and Link negotiation speed is set to full duplex and auto. Please contact the Sophos Support team to investigate further if needed.
Q: We're getting a lot of failed log on attempts on the VPN service on the firewall - is there a way block all IPs, except for those from a specific country? I've been blocking countries or country groups, but feel allowing one country as the exception would be a more efficient way to do it.
A: This can be done at global level via Local ACL rule found under device access. Disable the IPsec/SSL VPN service from WAN Zone and under ACL rule allow for specific Public Ip address to connect. You can find more information here.
Q: As the XG device approaches its end-of-life, may I kindly ask if it can still be utilized effectively? If not, I would appreciate your recommendations for its continued use or replacement options.
A: We strongly advise against the continued use of any EOL product. After the EOL date the functionality included with the Base License (Firewall/ VPN/ Wi-Fi) will still be available; however, as the software will not receive further updates, this component will age, and any issues or security vulnerabilities will NOT be fixed. We recommend connecting with your Account Executive to determine the best replacement options. There are model-to-model transition options, while a higher model may be needed if you require an upgrade.
Q: Can we manage all the Firewalls from the same Sophos Central? For an example registered with different emails as well?
A: The Firewalls have to be registered to the same Sophos Central Account to manage it.
Q: Is Sophos Central registration free? We haven't tried it yet.
A: Yes. Sophos Central does not cost anything extra to use.
Q: Is v21 free from issues? Currently we're still running v20.
A: You can check the release notes for the most up-to-date information related to the v21 release.
Q: Can inspect all content in Sophos X-Ops Threat Feeds affect the speed and latency of the network?
A: Generally, no, while it can differ network to network.
Q: We’ve experienced issues with country blocking certain .ru domains. Does Sophos only support traditional country naming standards?
A: We recommend reviewing our documentation on troubleshooting country blocking issues. If you continue having issues, please contact the Sophos Support team.
Q: Could you please provide information on the potential End-of-Life (EOL) date for the Sophos XGS firewall series? This would help us in planning future upgrades and ensuring continued support for our systems.
A: The EOL for the Sophos XGS Firewall series has not been declared yet. You can refer to the retirement calendar for all our products.
Q: When I enable SSL/TLS inspection rules, users cannot access the internet. Thoughts on what could be causing the issue?
A: Please check that SSL certificate of firewall is imported on the end user machines. If you continue having issues, please contact the Sophos Support team.
Q: We're still using Sophos Firewall v19. Can we update to v21? Can all XGS devices update to v21?
A: Yes, all the XGS series are supported for v21.
Q: Suggested 3rd party threat feeds to start with?
A: Some great examples include Cisco Talos, Hakk Solutions, and CINS Score. You can find other recommendations in this documentation.
Q: How to start with Let's Encrypt certificate for User Portal/VPN Portal?
A: We recommend watching these techvids related to Let's Encrypt.
Q: What will happen if we update from XG to XGS model past EOL? Can we still transfer our setup?
A: Yes. We recommend reviewing this documentation for more information.
Q: After upgrading SFOS v20 to v21, do we need to change SSL VPN clients or certificates or is it seamless?
A: Yes. It’s seamless and automated with Sophos connect client. You can find more information here.
Q: Our XGS116 uses around 70% memory with default settings, is that normal?
A: This depends on how many users the XGS116 is handling. It’s best to connect with your Sophos Account manager to identify if it’s undersized or not.
Q: How can we reject a user so they cannot enter our network? Should I create rules to reject that user or just create rules for those who can enter our network?
A: You can create a Firewall rule so only authenticated users are allowed to connect. You can find more information here.