Sophos Firewall v18.5 MR2 (Build 380) is now available

Sophos Firewall OS v18.5 MR2 (Build 380) is now available and includes a number of great features enhancements, security and performance optimizations, and field reported fixes.

We encourage all customers to update their firewall to the latest firmware release to take advantage of these new features, ensure their firewall is performing optimally, and is best protected with the latest security enhancements.

What’s New in Sophos Firewall OS v18.5 MR2 (Build 380):

  • FIPS 140-2 Level 1 Validation
    • v18.5 MR2 has been awarded Federal Information Processing Standards Publications (FIPS) 140-2 validation for XGS series hardware and virtual machines based on our latest Cryptographic Module
  • IPsec VPN Enhancements
    • Improved performance with the support for GCM and suite-B ciphers
    • Enhanced idle time-out support for remote access connections – maintaining connections longer
    • Routing optimization using the tunnel interface IP address for route-based IPsec masquerading (MASQ)
  • New Sophos Assistant
    • Provides an interactive guided “helping hand” for important workflows in the product to make it much easier to learn and perform common tasks. Refer more details on Sophos Assistant.
  • Credential-Free Registration for Sophos Central
    • Greatly streamlines onboarding new firewalls into Sophos Central
  • Authentication Enhancements
    • Improved MFA support for the admin account with alerts and a streamlined setup process.
    • Support for multiple group memberships in Active Directory to show all the groups a user belongs to.
  • Certificate Enhancements
    • Adds new helpful information on certificate authorities, easy identification of locally added certificates that use private keys, and easy downloading of the public part of any certificate.
  • Additional Usability and Feature Enhancements
    • Added new domains for TLS exclusion to optimize TLS performance and the end-user experience
    • Support for Cloudflare as a DDNS service provider
    • Added a new global IPS switch to enable or disable the IPS engine
    • Installation wizard enhancement that bridges only two ports by default
    • Upgraded JQuery version to 3.5.x.
  • Troubleshooting Report Enhancement
    • Improved log file handling, backend report generation, and usability enhancements
  • Issues Resolved 
    • 100+ issues resolved

 This release also contains a number of enhancements for XGS Series appliance customers:

  • Xstream Flow Processor Driver update – for XGS Series 4300, 4500, 5500, and 6500 models to optimize performance on these high-end models
  • XGS Series Reimaging – a visual indication of ISO re-imaging complete status is now provided on the LCD display or on the interface LEDs
  • Hardware Reset on XGS 87/107 – enables a long-press of the hardware reset button to now initiate a factory reset

Important point to consider before you upgrade to v18.5 MR2:

Upgrade to 18.5 MR2 refreshes the firewall certificate used by endpoints to heartbeat with firewall. Endpoints will need to download the refreshed certificate from Central after the firewall is upgraded onto v18.5 MR2.

Please ensure that the endpoints have network connectivity so that new certificate can be fetched from Central. If endpoints are blocked from resolving sophos.com via DNS to download the new certificate, heartbeat will start failing. One example could be - "Block clients with no heartbeat" configuration in firewall rule preventing endpoints to connect to (internal or external) DNS servers for resolution.

Please refer the KB-000043489 for more details.

Check out the v18.5 MR2 (Build 380) release notes for full details.

How to get it

As usual, this software update is no charge for all licensed Sophos Firewall devices and should be applied to all supported firewall devices as soon as possible. 

It will be rolled out to all connected devices over the coming days. A notification will appear on your local device or Sophos Central management console when the update is available allowing you to schedule the update at your convenience. Otherwise, you can manually download the latest firmware from Licensing Portal and update anytime.

Sophos Firewall OS v18.5 MR2 (Build 380) is a fully supported upgrade from v17.5 MR14 and later, v18 MR3 and later (including the latest v18 MR6) and all previous versions of v18.5. Please refer to the Upgrade information tab in the release notes for more details.

What's Next:

Sophos Firewall OS v19 with Xstream SD-WAN:

The early access program for SFOS v19 is just around the – expected to start in December.  SFOS v19 introduces Xstream SD-WAN with major new enhancements to SD-WAN link performance management and routing, VPN, and networking.  Be sure to watch this space for more news on this exciting release.

Sophos ZTNA as an alternative to remote access VPN:

If you’re interested in a better alternative for remote access, check out our new Zero Trust Network Access product which just started its early access program for the release candidate.  It offers much better security, easier management, and a more transparent end-user experience than remote access VPN.

Sincerely,

Sophos Firewall Product Team

Parents
  • I have upgraded 3 customer appliances to 18.5 MR2. Only one of the devices has an X-Stream License. The other 2 have Base Firewall License only. On all 3 units I have web Access from WAN enabled, and use a different port to 4444. On the Unit licensed with X-Stream, this continues to work with no issues, On the 2 units which have a Base Firewall module only, this access now returns errors. The unit is responding with "Access is forbidden to the requested page" But accessing the unit via a Lan is working fine.

    Anybody else seeing this?

Comment
  • I have upgraded 3 customer appliances to 18.5 MR2. Only one of the devices has an X-Stream License. The other 2 have Base Firewall License only. On all 3 units I have web Access from WAN enabled, and use a different port to 4444. On the Unit licensed with X-Stream, this continues to work with no issues, On the 2 units which have a Base Firewall module only, this access now returns errors. The unit is responding with "Access is forbidden to the requested page" But accessing the unit via a Lan is working fine.

    Anybody else seeing this?

Children
  • Issue turned out to be due to a compulsory password reset on the default admin account being required. Also couldn't SSH into the unit. Entering the password was rejected. Once the compulsory reset was done, then the SSH into the console and the admin access over the WAN were working.

    Something updated in 18.5.2 is stopping a few functions when there is a compulsory password reset on the default admin account. So along with the myriad of popup dialog boxes when a Sophos unit opens, maybe one is needed to alert of this