Sophos Firewall v18.5 MR1 Early Access is Here!

The product team is pleased to announce the early access program for SFOS v18.5 MR1 for all Sophos Firewall devices. v18.5 MR1 is available for all SFOS form factors – XGS Series, XG Series, Virtual and Software appliances as well as all supported cloud platforms. SFOS v18.5 MR1 includes support for new Sophos Central Orchestration capabilities as well as a number of important security fixes and enhancements.

Here’s a full list of what’s new in v18.5 MR1:

Support for new Central Orchestration Subscription (included in the new Xstream Protection license bundle):

  • Central SD-WAN VPN Orchestration enables easy point-and-click site-to-site VPN orchestration from Sophos Central – automatically configuring the necessary tunnels and firewall access rules for your desired SD-WAN overlay network.
  • Central Firewall Reporting Advanced with 30-days of data retention for full multi-firewall reporting in Sophos Central with access to all pre-packaged reports plus flexible custom report capabilities and the option to save, schedule, or export your reports.
  • Sophos MTR/XDR connector to enable Sophos Firewall intelligence and data to be used as part of our Managed Threat Response 24/7 service, or as part of your self-managed cross-product extended detection and response solution.

Get the full details on Central Orchestration and how to take advantage of it.

Additional Enhancements:

  • Resolved FragAttack Vulnerabilities recently discovered in the Wi-Fi specification for all internal and add-on Wi-Fi modules for Sophos (XG) Firewall desktop series appliances. All other updates will follow as outlined in this advisory.
  • With v18.5 MR1, Non-XGS form factors can benefit from performance improvements included in v18.5 GA, including - Improved network performance for TLS traffic in DPI mode.
  • Enhanced Backup/Restore Support improves backup/restore operations across different models by better mapping the management ports. v18.5 MR1 can also restore backups from v18 MR5 and earlier including any older v17.5 MRs.
  • XGS Series Reset Button enables a long press of the hardware reset button on XGS Series appliances (XGS 116 and higher models) to perform a factory reset to help recover from a bad configuration.
  • VPN Tunnel Logging adds improved logging of VPN tunnel flap events and IPsec IKEv2 rekeying
  • Sophos DDNS (myfirewall.com) will be discontinued and no longer supports new registrations. This is planned from January 31, 2022. Refer to KBA-41764 for more details.

Main Menu Enhancements:

A few main menu items have been renamed and re-organized to make the menu more intuitive:

  • A new "Zero-Day Protection" menu item is now part of the "Monitor and Analyze" section that contains two tabs that were previously under the “Advanced threat” menu. The first tab provides a record of all files that have been analyzed by Threat Intelligence and Sandboxing in the SophosLabs Intelix Cloud.  The second tab provides settings for this analysis..
  • A new "Sophos Central" menu item is part of the “System" section that contains the settings for connecting the firewall to Sophos Central for Synchronized Security features and for Sophos Central Management and Reporting (including the new Central VPN Orchestration capability).
  • Other minor changes include the renaming of the “Advanced threat” menu item to “Advanced Protection” to better reflect it’s function

Issues Resolved:

  • NC-69584 [Authentication, SSLVPN] The user information displayed for remote users under Monitor & Analyze -> Current activities on Web Admin are not display proper. 
  • NC-73734 [Date/Time Zone] Reports showing wrong time zone due to /etc/timezone is not updated during restore
  • NC-73542 [Email] DKIM signing broken in Exim 4.94
  • NC-73665 [Email] Email exception list is empty for source/host if you save and re-open the exception
  • NC-58370 [Firewall] User logout event clears firewall fields in conntrack of connection going through network based rules, results in packet drop
  • NC-66067 [Firewall] Firewall filter for 'unused' rules does not work.
  • NC-69495 [Firewall] XG 210 frequently rebooting [skb->sk corruption]
  • NC-69558 [Firewall] XG750 18.0.3.457 crash: tcp_v4_rcv+0xb14/0xbb0
  • NC-70461 [Firewall] IPv6 Host group doesn't match when a network type host is added in host group
  • NC-71473 [Firewall] PortB4 (not existing) still shows up in custom SNAT on CLI
  • NC-71922 [Firewall] XGS6500 auto rebooted
  • NC-72153 [Firewall] VLAN on bridge with fastpath enabled does not pass traffic
  • NC-72494 [Firewall] When multiple packets are sent from the same origin to the same destination at the same time,the first packets always get drop
  • NC-68595 [HA] Unable to establish HA with Quick Mode
  • NC-72076 [HA] HA sync dir failure resulted in empty directory
  • NC-69937 [Hotspot] Hotspot option device per voucher is inconsistent
  • NC-72311 [Hotspot] Hotspot user logged in when the arp resolution was in incomplete state
  • NC-71126 [Interface Management] XGS 116w EAP3 - IF alias UI timeout error
  • NC-71333 [Policy Routing] Incoming VPN traffic doesn't follow SDWAN policy
  • NC-71151 [QoS] Unable to edit/add users when traffic shaping policy exist with name "None"
  • NC-71996 [SNMP] SNMPD memory usage keeps increasing
  • NC-73687 [SSLVPN] SSLVPN remote access: push_reply does not include updated permitted lan networks
  • NC-71443 [WAF] WAF license warning even if WAF is subscribed

 

How to get Early Access and Provide Feedback:

  • This release is available for early access to all Sophos (XG) Firewall devices:  XGS Series, XG Series, virtual, cloud, and all supported platforms running SFOS.
  • You can upgrade to v18.5 MR1 with configuration migration supported from:
    • v18.5 GA versions
    • v18 MR3 or later, and
    • v17.5 MR14 or later.
  • Backup/Restore is also supported from any older v17.5 and v18 MRs including the latest v18 MR5 and v17.5 MR16.
  • You can download the firmware upgrade file and installers for your firewall from the download links in the table below.
Download links for firmware and installers
Hardware Devices
  Firmware upgrade file ISO Installer
XGS Series HW-18.5.1_MR-1.SF310-318.sig HW-18.5.1_MR-1-318.iso
XG Series HW-18.5.1_MR-1.SF300-318.sig
Virtual Appliances
  Firmware upgrade file Virtual Installer
VMWare VI-18.5.1_MR-1.VMW-318.sig VI-18.5.1_MR-1.VMW-318.zip
Hyper-V VI-18.5.1_MR-1.HYV-318.sig VI-18.5.1_MR-1.HYV-318.zip
KVM VI-18.5.1_MR-1.KVM-318.sig VI-18.5.1_MR-1.KVM-318.zip
Xen VI-18.5.1_MR-1.XEN-318.sig VI-18.5.1_MR-1.XEN-318.zip
Software Appliances
  Firmware upgrade file ISO Installer
Software
Appliance
SW-18.5.1_MR-1.SFW-318.sig SW-18.5.1_MR-1-318.iso
Appliances on AWS and Azure
Firmware upgrade file
AWS
VI-18.5.1_MR-1.AMI-318.sig
Azure
VI-18.5.1_MR-1.AZU-318.sig

  • You can provide early access feedback directly to the product team using the new and improved in-product feedback mechanism introduced with v18.5. Simply click the feedback link at the top right of the web console UI. Alternatively, you can provide your feedback via the community.

 

This release is expected to be Generally Available and rolled out automatically to all customer devices starting in early August.

Thanks for your help in making this release the best it can be.

Sincerely,

Sophos Firewall Product Team



  • After rebooting with the new firmware on my xg115 with software version installed, the cpu spikes up to 99%. The webadmin is unusable.
    Via ssh (top) there are several processes like "apiInterface", "getappkey", "readobject" which are blowing up cpu usage.

    Even after an hour the cpu usage don't get down... i think i have to go back to v18.0 mr5

  • We should not start a debate about this on in a release notes post, as this will get unreadable over time. 

    I cannot comment on such detail level but as far as i understand, application whitelisting is one portion of "you can complain with ISO with that" or you can also deal with unauthorized software on another level of blocking. If you interact with the endpoint and make sure, unauthorized Software is stopped to be launched in the first place, it could be another approach. The problem with a gateway solution is always: it will stop the communication on the traffic, it sees. But it will not deal with the app itself. Technical speaking, i can fully exploit your endpoint without leaving the endpoint and communicating to the internet. 

    Sophos did a whitelisting approach for the server called Server Lockdown. 

    Just my last thoughts about this one. 

  • That's not my experience. Of cores in the beginning you have to identity all services and applications, but iso 27001 certified  costumers have to do this anyway.
    Once setup is done you do not have to modify this filter quite often as application requiring internet access do not often change.
    If new applications appears you have to follow an approval process anyway. That's how security works according to international standards.

  • this is valid for firewall rules, but nc-68226 is for application filter rule (there are no zones, just applications)

  • That is true - You cannot use Deny anymore. And i have to say, i never saw a customer using this, as this was possible in previous versions. 

    People are often fantasying about this Deny All (Whitelisting of Apps). But in the reality of most products, this is a administration nightmare to deal with. I know, there are often critical infrastructure customers wanting this. But i have to say: App control on such level is not a job of a gateway, instead of a endpoint.