This article describes the use of the new features made within Sophos XG Firewall v17.1. For full details of the new capabilities and enhancements, read XG Firewall - What's new in v17.1.
The XG Firewall v17.1 firmware update will be rolled out automatically to systems in stages over the coming weeks and you’ll see a notification on the Control Center when it’s available for your firewall. If you don’t want to wait you can update to v17.1 at anytime by getting the latest firmware release from MySophos.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
With the tremendous number of cloud application and storage services available, organizations require visibility to expose any hidden risks related to what services are being used and where data is being stored. XG Firewall v17.1 delivers shadow IT discovery and cloud app visibility as the first phase of our CASB solution. This feature includes a new widget on the Control Center that provides valuable usage information on new, sanctioned, unsanctioned, and tolerated cloud-based applications and services. It also provides insights into inbound and outbound traffic by type. Drill down to detailed reporting on individual cloud apps and services that provides details on users, traffic, uploads, and downloads with options to classify, filter, or traffic shape individual apps or services. Further drill downs provide additional information on individual user traffic and data usage for each cloud application, so you can identify risky usage patterns quickly and easily. For more details, read: Sophos XG Firewall v17.1: How to configure Cloud Applications feature.
The SSL VPN Port for remote access can now be customized. Go to VPN and click on Show VPN Settings to choose the SSL VPN port.
A new feature that changes the hyperlinks to several internal pages from IP Address to Hostname. Combined with using your own certificate, this will remove certificate warnings seen by end users. For detailed information read Sophos XG Firewall v17.1: New console hostname feature for page redirects.
Synchronized App Control, introduced in v17, has proven to provide a breakthrough in network visibility being able to identify, classify and control previously unknown applications active on the network. It utilizes Synchronized Security to obtain information from the endpoint about applications that don’t have signatures or are using generic HTTP or HTTPS connections. It solves a significant problem that affects signature-based app control on all firewalls today where many applications are being classified as “unknown,” “unclassified,” “generic HTTP,” or “SSL,” for example. Read more in Sophos XG Firewall v17: How to configure Synchronized Application Control (SAC).
In addition to the filtering options provided in v17, Synchronized App Control gets a few additional enhancements that streamline large application list management, such as the ability to search for applications and the option to delete or remove discovered applications from the list that are not relevant to you. The application category is also now displayed in the application list, making it easy to see what category an application is associated with at a glance.
Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further. You can now double-click a firewall rule in the list to open it for editing. There’s a new option to block Google QUIC’s HTTPS over UDP, forcing a fallback to TCP, enabling full SSL inspection of the traffic. And there is now added flexibility in defining ACL exceptions to restrict access to services, such as the User Portal from a single alias, for example.
User management over individual SMTP block and allow lists is now provided via the User Portal. Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders.
In addition, more flexible and granular SMTP policy exceptions are supported to provide parity with Sophos SG UTM and reduce false positives. Exceptions can be defined based on sources/hosts, sender address domains, or recipients (with support for wildcards).
XG Firewall v17.1 provides wireless networking enhancements, including the option to set the channel width for wireless radios in the GUI, as well as Radius Accounting.
XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1.
Support for the latest XG Series desktop hardware connectivity and features, unveiled in an earlier maintenance release, is also included in XG Firewall v17.1.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.