Sophos Firewall OS v19 MR1 is Now Available

Sophos Firewall OS v19 was released just a few months ago in April, and has already been adopted by a huge number of partners and customers who have upgraded to take advantage of the many Xstream SD-WAN and VPN enhancements.

This latest update, v19 MR1, brings a number of additional enhancements and fixes to what is already one of our best firewall updates ever:

What’s New in SFOS v19 MR1:

VPN and SD-WAN Enhancements:

  • SSLVPN Remote Access - Static IP lease support to enable mapping of remote users with static IP addresses to improve user traceability, monitoring and visibility. This also includes static IP leases with an external Radius server.
  • IPsec VPN Enhancements - includes adding default IPsec site-to-site IKEv2 policies for improved head office to branch office tunnels, eliminating manual fine tuning for re-key interval, dead peer detection (DPD) action and key negotiation. Defaults were also updated to prevent flapping of UDP connections (VoIP, Skype, RDP, Zoom, etc.).  Also disabled "vpn conn-remove-tunnel-up" and enabled "vpn conn-remove-on-failover" for new configuration (but does not impact existing deployments)
  • SD-RED - Now support multiple DHCP servers for RED interfaces
  • SD-WAN Profiles - The Rule-ID and index column are added on the SD-WAN profile management page for easier troubleshooting

Other Enhancements:

  • Anti-Malware Engine - Anti-malware engines and associated components were upgraded to full 64-bit operation to provide optimal performance and future support. Note that the secondary malware scan engine, Avira, will no longer provide detection updates for the 32-bit version after December 31, 2022.  Anyone using Avira will need to upgrade to v19 MR1 or v18.5 MR5 (to be released soon) before the end of the year or switch to just using the Sophos engine. 
  • Synchronized Security - Improved Sophos Central Firewall Management resilience in environments with thousands of endpoint certificates being used for Synchronized Security Heartbeat.
  • Email - Added an option to report a spam email as a False Positive from the quarantine release screen
  • Sophos Assistant - Added an option to opt-out of the Sophos Assistant
  • Additional Fixes - Over 50+ additional performance, stability and security fixes and enhancements are also included

Check out the v19 MR1 release notes for full details.

Important Licensing Change for Future Firmware Updates:

As covered in the recent community blog post, SFOS v19 MR1 introduces a support requirement for firmware upgrades which will come into effect for customers without a valid support subscription after they've used an initial free upgrade allocation.

 To summarize:

  • No change for customers with a valid support subscription (about 80% of customers)
  • Future action will be required by the remaining 20% who do not have a support subscription, but also no immediate change

Full Details and FAQs

How to Get it:

The release of v19 MR1 follows our regular firmware release process so you can download it now from MySophos or wait until it appears in your console over the next few weeks.

Sophos Firewall OS v19 MR1 is a fully supported upgrade from v19 GA, all previous versions of v18.5 including the latest v18.5 MR4 and v18 MR3 and later. Please refer to the Upgrade information tab in the release notes for more details.

  • Are you per chance using webproxy and not transparent SSL-inspection? 

  • This has been resolved on the two customers reported.  For reference:


    Some website that are signed by Lets Encrypt have a validation failures after upgrading to 19.0 (GA or MR1).



    The customer has uploaded a Lets Encrypt CA to WebAdmin that is no longer valid.

    Lets Encrypt used cross signing to two certificates both called ISRG Root X1.  One of them is a Root CA and the other is an Intermediate CA that is in turn signed by DST Root CA X3, which expired Sept 2021.  Some customers may have uploaded the Intermediate CA, however it is no longer valid.  If it was working in 18.5 that means the order in which CAs were loaded was the valid CA was loaded before the invalid CA and sites were validated successfully.

    In 19.0 (both GA and MR1) we changed the order in which CAs are loaded.  For some customers that means the no-longer-valid CA is loaded first, which causes the error.

    Customers may have uploaded Lets Encrypt CAs to support internal servers or WAF, for example Synology NAS.



    WebAdmin > Certificates > Certificate Authorities

    In the column headers, filter by type Uploaded

    Delete any Uploaded certificates that are Subject:

    /C=US/O=Internet Security Research Group/CN=ISRG Root X1



    Retest any reason that you had for uploading the Lets Encrypt CA.

    For example if you are using Lets Encrypt for WAF, retest your WAF.  You may need to delete and re-upload your server certificate so that the new correct chain is supplied.

  • How to configure this:

    • SSLVPN Remote Access - Static IP lease support to enable mapping of remote users with static IP addresses to improve user traceability, monitoring and visibility. This also includes static IP leases with an external Radius server.


    Found nothing, but the linked NAT workaround ?!

  • Just rebooted, that did the trick...