XG Firewall version 17.5 MR4 (and future releases) provides the ability to create a custom password for configuration backups. We strongly recommend specifying a backup password at the first opportunity. Once set, all future backups will be encrypted and protected with that password.
Backups created before 17.5 MR4 can still be restored on systems running MR4, even after specifying a new encryption password as described above. Pre-MR4 encrypted backups use a common encryption password across devices which is not recommended.
Sophos would like to thank Mark Semmler for highlighting this security enhancement opportunity.
The following sections are covered:
Applies to the following Sophos products and versions Sophos XG Firewall (all versions)
Customers that do not use the backup feature do not need to take action.
All customers that perform backups should create a custom password. Customers should note that off box storage of any backup should be further secured using a method of their choice and should not rely solely on the protection and obfuscation that Sophos provides.
Those customers who do not wish to take advantage of this additional security feature along with other product improvements can safely remain on their current version provided they don’t send backups over SMTP or FTP. Any off-firewall storage of a backup must be secured and encrypted.
Sophos XG Firewall v17.5 MR4.
This article will be updated when information becomes available.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.