Sophos Firewall OS v19.5 MR1 is Now Available

We are pleased to announce that Sophos Firewall OS v19.5 MR1 is now released.  This update to Sophos Firewall brings support for some exciting new hardware products plus a few feature enhancements and bug fixes.

What’s New in SFOS v19.5 MR1

Support for New XGS 7500 and XGS 8500 appliances

We’re broadening our XGS Series hardware portfolio to include two new 2U appliances. This allows us to address new opportunities in larger enterprise and campus environments, in addition to the existing SMB and distributed edge space.

These models are built from the core to provide the performance required for the most demanding networks:

  • Dual processor architecture with enterprise-grade acceleration for trusted traffic and applications
  • Up to 47% higher throughput for all key protection vs. next highest model (XGS 6500):
    • Up to 190 Gbps Firewall throughput
    • Up to 141 Gbps IPsec VPN throughput
    • Up to 93 Gbps IPS throughput
    • Up to 76 Gbps NGFW throughput
    • Up to 34 Gbps Threat Protection throughput
  • Industry-leading ROI per Protected Mbps vs. comparable competitive models
  • High performance, high capacity with dual redundant Non-Volatile Memory express (NVMe) SSDs and a significant RAM increase over our other 2U models.
  • High speed built-in connectivity with two QSFP28 ports on each model supporting ports speeds of up to 40 Gbps on the XGS 7500 and 100 Gbps on the XGS 8500.
  • Up to 2x better power efficiency than the industry average for comparable models in combination with IPsec VPN.

Learn more: Sophos News post: Firewall performance for the campus edge with the new XGS 7500 and XGS 8500 

Refer Partner News blog - New high-end XGS Series firewall appliances are now available for further information on hardware availability.

Support for New 5G Module for XGS 116(w), 126(w), 136(w)

We’re introducing a 5G cellular module for all XGS 116, 126, and 136 models (including w-models) which have a modular expansion bay.

The new global module enables 5G cellular network connections using the 5G Sub-6 bands, with download speeds of up to 4.5 Gbps and upload speeds of up to 660 Mbps (this may vary by carrier and region). The module also provides automatic fallback to 3G and 4G LTE (Cat-20) networks.

Our optional slot-in module becomes a fully supported, fully integrated part of the appliance, managed from your firewall console. This provides significantly better compatibility and interoperability than competitive external solutions.

We deliver the module with four cable-connected antennas to allow optimal coverage and performance.

Learn more about our 5G support: Sophos introduces 5G support for desktop firewalls

Other Enhancements and Bug fixes

  • Xstream SD-WAN - Enhancements to SD-WAN rule management. Clone SD-WAN rules above or below, move to nth position, create at top or bottom.
  • Backup Management - Firmware version is now included to the name of the backup file for improved identification.
  • Firmware upgrade - A warning message has been added to alert to the risk of a factory reset when upgrading to a firmware version for which migration is not supported.
  • Includes 30+ important issues, stability and security fixes

Check out the v19.5 MR1 release notes for full details.

How to get the Firmware and Documentation

Sophos Firewall OS v19.5 MR1 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that you have all the latest security fixes and feature updates.

This firmware release will follow our standard update process.  You can manually download SFOS v19.5 MR1 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v19.5 MR1 is a fully supported upgrade from all previous versions of v19.5, all previous versions of v19.0 including the latest v19.0 MR2 and all previous versions of v18.5 including the latest v18.5 MR5. Please refer to the Upgrade Information tab in the release notes for more details.

Full product documentation is available online and within the product.

Sincerely,

Sophos Firewall Product Team

Parents
  • No remote access VPN IPSec connections after Upgrade.

    IPSec site to site and OpenVPN is working

    Case 06321798

    Hello, please investigate asap as there is NO connection from clients possible at the moment.

    IPSec site to site is working, OpenVPN is working but no remote access VPN IPsec

    Logfile from Client:

    2023-03-10 09:14:13AM 10[CFG] loaded certificate 'C=DE, ...
    2023-03-10 09:14:13AM 06[CFG] loaded RSA private key
    2023-03-10 09:14:13AM 13[CFG] loaded EAP shared key with id 'KCMWUEK01_-_KM-user-id' for: 'xxx'
    2023-03-10 09:14:14AM 09[LIB] TAP-Windows driver version 1.0 available.
    2023-03-10 09:14:14AM 27[KNL] interface 28 'Sophos TAP Adapter' changed state from Down to Up
    2023-03-10 09:14:16AM 09[CFG] added vici connection: KCMWUEK01_-_KM
    2023-03-10 09:14:16AM 13[CFG] vici initiate CHILD_SA 'KCMWUEK01_-_KM-tunnel-1'
    2023-03-10 09:14:16AM 12[IKE] <KCMWUEK01_-_KM|7> initiating Main Mode IKE_SA KCMWUEK01_-_KM[7] to xxx
    2023-03-10 09:14:16AM 12[ENC] <KCMWUEK01_-_KM|7> generating ID_PROT request 0 [ SA V V V V V ]
    2023-03-10 09:14:16AM 12[NET] <KCMWUEK01_-_KM|7> sending packet: from 192.168.178.56[55012] to xxx[500] (180 bytes)
    2023-03-10 09:14:16AM 07[NET] <KCMWUEK01_-_KM|7> received packet: from xxx[500] to 192.168.178.56[55012] (40 bytes)
    2023-03-10 09:14:16AM 07[ENC] <KCMWUEK01_-_KM|7> parsed INFORMATIONAL_V1 request 4079268230 [ N(NO_PROP) ]
    2023-03-10 09:14:16AM 07[IKE] <KCMWUEK01_-_KM|7> received NO_PROPOSAL_CHOSEN error notify
    2023-03-10 09:14:16AM 09[CFG] vici terminate IKE_SA 'KCMWUEK01_-_KM'
    2023-03-10 09:14:16AM 10[ESP] unsupported IP version
    2023-03-10 09:14:16AM 27[KNL] interface 28 'Sophos TAP Adapter' changed state from Up to Down
    2023-03-10 09:14:17AM 06[CFG] unloaded private key with id xxx
    2023-03-10 09:14:18AM 10[CFG] unloaded shared key with id 'KCMWUEK01_-_KM-user-id'

    Nothing visible on SFOS GUI Logs under VPN

  • OK, currently running again. We found no reason for it and support just disabled and enabled it again. After that it was working. We are observation it further and will see if that was only a one time problem because there was an error in the config which was resolved by dis- and enabling it again...

  • From which Version did you come from? Because there was an old issue with IPsec RAS, which was resolved by resetting the connection. 

  • We have exactly tried to reproduce the issue, by upgrading from v19.5Ga to v19.5MR1. We are not able to reproduce this issue locally. We also logged in to your device, we see that the logs are rotated.

    We'd need the "ipsec statusall" output and files under /tmp/ipsec/connections and the /log folder during upgrade, to investigate the issue further.

Comment
  • We have exactly tried to reproduce the issue, by upgrading from v19.5Ga to v19.5MR1. We are not able to reproduce this issue locally. We also logged in to your device, we see that the logs are rotated.

    We'd need the "ipsec statusall" output and files under /tmp/ipsec/connections and the /log folder during upgrade, to investigate the issue further.

Children