Sophos Firewall OS v19.5 MR2 is Now Available

The adoption rate of our new Sophos Firewall v19.5 firmware continues to be our fastest ever, with nearly half of install base already running the latest major release 19.5.

We are pleased to announce the availability of our second major maintenance update to v19.5 with this release.

What’s New in SFOS v19.5 MR2

Important Security and Hardening Enhancements

With this release, we are implementing two security enhancements that help harden your firewall and follow industry best-practices for the protection of your firewall from attacks.  

Web Admin access for specific IPs:

  • We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of your firewalls be performed through Sophos Central which is free for all customers.
  • However, if you absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.
  • There is no impact for existing deployments: Web admin access if already enabled from all WAN sources continues to work even after you upgrade onto v19.5 MR2 except if it is no longer being used (see next point). However, as mentioned above, we strongly encourage you to disable this or at least use the new ACL exception rule to improve your security posture.

Web Admin or User Portal Access from all WAN sources (Internet) disabled after 90 consecutive days of inactivity:

  • Many customers have setup WAN access to the web admin console and/or User Portal long ago, do not use it, and have forgotten about it, leaving their firewalls potentially exposed to a brute force or reconnaissance attacks from the Internet.
  • 19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity.
  • Access configured using the new ACL exception rule will NOT be disabled even after 90 days of inactivity.
  • There is no impact for existing deployments with active usage. If you have Web admin or User portal access enabled from all WAN sources, access to these portals will remain unaffected as long as there is activity at least every 90 days.

Be sure to check out our recent article on Best Practices for Securing Your Firewall

New How-To Guides

  • Routing and NAT configuration for IPsec: New how-to tutorials are linked directly from the relevant section of the product to help with IPsec deployments including use cases such as system generated DHCP relay traffic, authentication traffic, and traffic to a host through existing IPsec tunnel.

Other Enhancements:

  • Dynamic Routing: Now supports up to 4K multicast groups for added scalability in the dynamic routing deployments.  This eliminates any issues related to dynamic routing failing to join multicast groups.
  • SD-RED: A new banner is added to notify admins about the approaching EoL (End-of-Life) for legacy RED 15(w) and RED 50 devices.  Customers should upgrade their RED devices to the latest models with higher performance and improved connectivity.

Check out the v19.5 MR2 release notes for full details.

How to get the Firmware and Documentation

Sophos Firewall OS v19.5 MR2 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that you have all the latest security fixes and feature updates.

This firmware release will follow our standard update process.  You can manually download SFOS v19.5 MR2 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v19.5 MR2 is a fully supported upgrade from all previous versions of v19.5, all previous versions of v19.0 and all previous versions of v18.5. Please refer to the Upgrade Information tab in the release notes for more details.

Full product documentation is available online and within the product.

Sincerely,

Sophos Firewall Product Team

Parents
  • Will Local service ACL exception rules allow FQDN Host Objects as a source as well with this release?

    IP-Hosts still not good when using direct access as fallback e.g. as MSP. Changing Public IP of MSP would cause modifying multiple appliances. Using FQDN Host as possible source would make this much easier.

    Espescially on smaller appliances central access takes way too much time. Direkt WebAdmin and SSH Access would be better/more efficient in many cases or at leafs emergency-access.

  • No, this is not included in this release yet. 

    But overall, the approach will not change for at least 90 Days. If you have active communication on User Portal/Webadmin yet, it will not do any change for your installation. 

    If you have not any kind of active communication, the User Portal / Webadmin will be turned off after 90 days.

    ACL Support for FQDN could be included in a future release for those, who want to do it. 

    Nevertheless - Emergency Access should be done via Central, as the way, how Central SSO works, is always reachable. 

  •   you wrote "If you have not any kind of active communication, the User Portal / Webadmin will be turned off after 90 days."

    is that only successfull login? Failed (by hackers) logins will hopefully not reset the timer? Do you know that?

  • Only successful Logins will reset the timer. Otherwise each and every Port Scan would reset the timer. 

  • "how Central SSO works, is always reachable."

    Unless Sophos Central goes down. Single point of failure. Ask Cisco how that worked out for their SD-WAN devices this week...

Comment Children
  • You can always argue, this is the single point of failure, it is a matter of likelihood. In case you need access to your firewall to configure something, how high are the chances, a AWS Service is down, or the Central Service, build on AWS, is down.

  • Belt and suspenders. I've seen AWS outages, I've seen vendor outages that were built in AWS but not related to an AWS outage. Either way they're both single points of failure. Right now we use both Sophos Central, *and* ACL rules for direct access. One stops working we can use the other. I'd never put all my eggs in one basket across that many devices and clients. Like I said elsewhere, it would be like doing all your server backups to a single location -- instead of a "3-2-1" backup strategy you would just be doing "1".

    I've also spent weeks waiting to have some issues fixed by support before with our Sophos Central Partner deployment, so I can't necessarily wait during a Central issue if I don't have a backup method.

  • Your argument with backup seems not the same to me. One is access to the firewall, one is the configuration.
    So if one is not available, a access will be there after the issue. A backup is lost forever. 

  • I'm sorry, I should have been more clear. My backup example is just an analogy. It's not meant to represent an apples-to-apples comparison.

    What it's meant to represent is, in the I.T. world, you never rely on a single solution for anything mission-critical. For example, you never rely on just one backup solution. You never rely on just one method of access to your servers. (Remote access has out-of-band access as a failsafe.) You never rely on just one central portal to be able to get into your firewalls. You never rely on just one controller to access your switches and access points.

    The list of examples goes on, but the point stays the same on all those examples. Single points of failure are to be avoided.