This article describes the use of the new features made within Sophos XG Firewall v17.5. For full details of the new capabilities and enhancements, read XG Firewall - What's new in v17.5.
The XG Firewall v17.5 firmware update will be rolled out automatically to systems in stages over the coming weeks and you’ll see a notification on the Control Center when it’s available for your firewall. If you don’t want to wait you can update to v17.5 at anytime by getting the latest firmware release from MySophos. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Synchronized App Control, introduced in v17 has proven to offer a breakthrough in network visibility with its ability to identify, classify and control previously unknown applications active on the network. It uses Synchronized Security to obtain information from the Endpoint about applications that don’t have signatures or that are using generic HTTP or HTTPS connections. It solves a significant problem that affects signature-based app control on all firewalls today where many applications are being classified as “generic HTTP” or, “SSL” or even “unknown” or “unclassified”.
This feature has been so successful in identifying hundreds of new applications on most networks, that several additional enhancements have been requested since launch to better manage and organize the newly discovered applications. In addition to the enhancements provided in v17.1, Synchronized App Control adds the much-requested ability to display Windows and Mac system applications in a separate list, to better focus on user-driven applications. You can also hide applications, then use a new filter option to view hidden applications and unhide apps. There’s also a new option to mark applications as seen to remove them from the “new” list. Enhancements have also been made to how path names are displayed. Read more in Sophos XG Firewall: How to configure Synchronized Application Control (SAC).
When Synchronized Security was first introduced with XG Firewall, Security Heartbeat™ settings in firewall rules allowed unhealthy endpoints with RED or YELLOW heartbeat status to be denied or blocked by these firewall rules. This effectively ensures compromised systems can be isolated from other parts of the network such as other zones, segments, or even the internet depending on the firewall rule configuration. In this way, Security Heartbeat™ helps isolate infected endpoints to prevent a threat moving or spreading to other parts of the network or communicating out to the internet.
In v17.5, this feature is enhanced further with the ability to isolate unhealthy endpoints even from other endpoints on the same broadcast domain or network segment. This a new Synchronized Security feature that effectively provides an adaptive micro-segmentation solution. With Lateral Movement Protection, each individual endpoint is effectively on its own segment, able to be isolated in response to an attack or threat, regardless of the network topology. And without any added cost, infrastructure, overhead, or performance impact. This is elegantly accomplished by the firewall automatically informing all healthy endpoints to ignore any traffic coming from any unhealthy endpoints, effectively isolating them on the network until they can be cleaned up. Once cleaned up, its Security Heartbeat status will return to GREEN and connectivity with other systems on the network will be automatically restored.
The XG Firewall is used as the distribution hub for all information necessary for the endpoint to perform this isolation from other infected endpoints.
Configuration for this feature is available within Sophos Central. Go to Global Settings > Endpoint Protection > Reject Network Connections.
This will take you to the configuration page to exclude specific endpoints from the Lateral Movement Protection feature so that they are not being isolated.
In addition, IPS detection from compromised endpoints can now trigger a RED heartbeat condition and lateral movement protection as well, further enhancing protection from threats on the network.
Note: Lateral Movement Protection feature is currently supported for Windows machines only.
User authentication is critically important for all next-gen firewalls to provide user-based visibility, reporting and policy enforcement. In a typical Active Directory environment, transparent user identity at the firewall is achieved either by installing an agent on the Directory Server to relay user identity information to the Firewall or on the endpoint to share user identification. These agent solutions can be problematic to deploy in some situations and environments. With v17.5, Endpoints on an Active Directory Domain, can now share user identity with the Firewall through the Security Heartbeat™ connection. This makes user identification seamless and easy without having to deploy agents on the domain controllers. This feature can be very helpful in many situations, but particularly where inline deployment of XG with other firewalls is desired.
Read more in Sophos XG Firewall: How Synchronized User ID authentication works.
A few enhancements to web policy enforcement are included in v17.5 that have been highly requested by many customers, particularly those in the education sector. Web policies have been expanded to include many settings that were previously global configuration options. Search engine enforcement, including SafeSearch and YouTube restrictions, along with download file size limits, and Google App domain restrictions are all set on a per-policy basis now providing much greater flexibility in how these controls are applied. Read more about SafeSearch in Sophos XG Firewall: How to enforce SafeSearch.
When redirecting users to the captive portal or other interactive pages, you can choose to use the Firewall's configured hostname, the IP address of the first internal interface or a different hostname from the GUI with more flexibility. Also the Check settings button allows you to verify your settings for possible errors and resolutions. Read more in Sophos XG Firewall: New console hostname feature for page redirects.
Web policy overrides is another top requested feature. It allows authorized users to override blocked sites on user devices – temporarily allowing access. Administrators define which users (e.g. teachers) have the option to authorize policy overrides. Those users can then create their own override codes, like simple passwords, in the XG Firewall User Portal and define rules about which sites they can be used for. Codes can be shared with End-users, who enter them directly into the block page to allow access to a blocked site. Override code rules can be broad – allowing any traffic or whole categories – or more narrow – allowing only individual sites or domains – and can also be limited by time and day. And to avoid abuse, codes can easily be changed or cancelled. Administrators can see a full list of all override codes created and disable or delete them, as well as defining sites or categories that can never be overridden. There is also a new report providing full historical insight into web override use. Read more in Sophos XG Firewall: How to configure web policy override.
Chromebooks are increasingly popular in education and some corporate environments, but they create a unique set of challenges for user identification with network firewalls. XG Firewall v17.5 provides a Chromebook extension that shares Chromebook user IDs with the Firewall to enable full user-based policy enforcement and reporting.
Pre-requisites include an on-premise Active Directory Server synced to Google G Suite. The Chrome extension is pushed from the G Suite admin console providing easy and seamless deployment that is transparent to users. Read more in Sophos XG Firewall: How to setup Chromebook Single-Sign-On (SSO).
The XG Firewall Client Authentication Agent is a very popular authentication method and in v17.5 it gets a number of important enhancements including per-machine (rather than per-user) installation support, an option to hide on startup, an option for the user to explicitly logout, automatic reconnection on wake from sleep, MAC address telemetry sharing to support MAC address filtering as well as a new icon and support for Windows XP. Read more in Sophos XG Firewall: Client Authentication Agent.
An all-new XG Firewall Log Viewer was launched with v17 and in this release it gets further enhancements. The filter list is now sorted in alphabetical order and now all rule ID’s in log entries are hyperlinked that will open the related firewall rule in the main window when clicked. In the standard column view, there is a new option to customize the columns displayed in the log viewer. Up to 17 different columns can be selected from the full set of fields that are available based on the selected module being monitored. Read more in Sophos XG Firewall: Log Viewer behavior.
Firewall rule group enhancements add an option to select a group when creating a firewall rule, including the option to assign the rule to a group automatically. The rule will be assigned to a group based on matching criteria defined as part of the group configuration.
You can now set redundancy groups for your IPSec tunnels that will handle fail-over automatically in the event of a disruption and fail-back once the primary link is available.
This option is under VPN > IPsec connections > Failover group.
There is now a similar option for WAN link restoration following a fail-over as well that will either assign only new connections to the restored link or all connections. Read more in Sophos XG Firewall: How to configure redundant internet connection using WAN Link Manager feature.
Over time we have been enhancing protection and performance of the IPS engine by adding the Talos commercial IPS signature library from Cisco. We augment the Talos library with additional signatures as required to ensure optimal intrusion protection. The Talos library includes more granular categories, and in v17.5 we are making those available in the IPS policy tool, making it easier to tune your policies for optimal protection and performance. Like SophosLabs, Talos is a highly respected network security analysis group working around the clock to respond to the latest trends in hacking, intrusions, and malware.
Note: All new categories have been carefully mapped to previous categories, but admins are encouraged to use this as an opportunity to double-check your IPS policies and ensure they are optimized under the new category structure.
Read more in Sophos XG Firewall: Introduction of the new TALOS IPS signatures and categories.
XG Firewall email enhancements include verification of the recipient using Active Directory and Sender Policy Framework (SPF) spoofing protection. The Mail Transfer Agent (MTA) is also being updated to Exim. Together these enhancements address our top requested email features from our SG UTM customers and partners. Read more in Sophos XG Firewall: How to configure SPF record check for email spoof prevention.
Support for Radius server failover with multiple servers.
At the same time as v17.5 we are launching the Early Access Program (EAP) for Sophos Connect, a new IPSec VPN Client that makes VPN connections easy to deploy and seamless for end-users to utilize. It also supports Synchronized Security for remote connected clients providing all the benefits of application visibility and health monitoring and response for remote users. Connection profiles can be easily deployed or added at any time. The application runs as a system try or menu bar item on Windows and Macs respectively. It is freely available for all XG Firewall customers from within the XG Firewall management console under VPN > Sophos Connect. Read more in Sophos XG Firewall: Sophos Connect Client.
XG Firewall v17.5 has incorporated new Avira virus scan engine v4.x. When v17.5 will boot for the first time, it will download full (not incremental) Avira patterns approx. ~90 MB and reload virus scan engine. This may take a few seconds or minutes based on the bandwidth. In this duration, web and email traffic will be blocked. Blocked emails will stay in email spool and it shows reason as malware scan failed. However, these emails will be delivered once the engine is up after reload.
AirGap enables updates for XG Firewalls deployed in environments that are physically isolated from the internet (an “airgap”). Protection pattern updates can be downloaded from a public URL. Licenses, and firmware updates can be downloaded from MySophos. All updates can be applied to XG Firewall from the GUI. Read more in Sophos XG Firewall: How AirGap and manual pattern updates features works.
Support for the latest Wave 2 APX Series wireless access points will be provided in a follow-on maintenance release shortly after the release of v17.5.
Enhanced online help now centers around the user’s current task and needs with a learning content approach that suggests context specific actions, related information and links to relevant Knowledgeable articles.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.