Sophos Firewall OS v19.5 MR2 is Now Available

The adoption rate of our new Sophos Firewall v19.5 firmware continues to be our fastest ever, with nearly half of install base already running the latest major release 19.5.

We are pleased to announce the availability of our second major maintenance update to v19.5 with this release.

What’s New in SFOS v19.5 MR2

Important Security and Hardening Enhancements

With this release, we are implementing two security enhancements that help harden your firewall and follow industry best-practices for the protection of your firewall from attacks.  

Web Admin access for specific IPs:

  • We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of your firewalls be performed through Sophos Central which is free for all customers.
  • However, if you absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.
  • There is no impact for existing deployments: Web admin access if already enabled from all WAN sources continues to work even after you upgrade onto v19.5 MR2 except if it is no longer being used (see next point). However, as mentioned above, we strongly encourage you to disable this or at least use the new ACL exception rule to improve your security posture.

Web Admin or User Portal Access from all WAN sources (Internet) disabled after 90 consecutive days of inactivity:

  • Many customers have setup WAN access to the web admin console and/or User Portal long ago, do not use it, and have forgotten about it, leaving their firewalls potentially exposed to a brute force or reconnaissance attacks from the Internet.
  • 19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity.
  • Access configured using the new ACL exception rule will NOT be disabled even after 90 days of inactivity.
  • There is no impact for existing deployments with active usage. If you have Web admin or User portal access enabled from all WAN sources, access to these portals will remain unaffected as long as there is activity at least every 90 days.

Be sure to check out our recent article on Best Practices for Securing Your Firewall

New How-To Guides

  • Routing and NAT configuration for IPsec: New how-to tutorials are linked directly from the relevant section of the product to help with IPsec deployments including use cases such as system generated DHCP relay traffic, authentication traffic, and traffic to a host through existing IPsec tunnel.

Other Enhancements:

  • Dynamic Routing: Now supports up to 4K multicast groups for added scalability in the dynamic routing deployments.  This eliminates any issues related to dynamic routing failing to join multicast groups.
  • SD-RED: A new banner is added to notify admins about the approaching EoL (End-of-Life) for legacy RED 15(w) and RED 50 devices.  Customers should upgrade their RED devices to the latest models with higher performance and improved connectivity.

Check out the v19.5 MR2 release notes for full details.

How to get the Firmware and Documentation

Sophos Firewall OS v19.5 MR2 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that you have all the latest security fixes and feature updates.

This firmware release will follow our standard update process.  You can manually download SFOS v19.5 MR2 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v19.5 MR2 is a fully supported upgrade from all previous versions of v19.5, all previous versions of v19.0 and all previous versions of v18.5. Please refer to the Upgrade Information tab in the release notes for more details.

Full product documentation is available online and within the product.

Sincerely,

Sophos Firewall Product Team

Parents
  • How will users get their VPN configs from WAN if the link was not used in the last 90 days. I find this to be a big problem for me in future. Users must always be able to get to their VPN configs especially as 2FA is implemented

  • I agree with this completely. This is another bonehead decision from Sophos. The connect client doesn't work properly yet is forced out then the decision is made to force people to run a shell command to enable the user portal? This isnt even a decision Sophos should be making, again another poorly thought out, poorly executed plan. Is there anyone on this team that actually deploys firewalls or understands what it means to administer a lot of these units? If MFA is enabled for the users what else do you want? Administrators dont have access to everyone MFA device, how exactly is everyone supposed to update certificates, make deployment changes etc.? Fix all the nonsense with the Connect client and then do this, this is common sense.

Comment
  • I agree with this completely. This is another bonehead decision from Sophos. The connect client doesn't work properly yet is forced out then the decision is made to force people to run a shell command to enable the user portal? This isnt even a decision Sophos should be making, again another poorly thought out, poorly executed plan. Is there anyone on this team that actually deploys firewalls or understands what it means to administer a lot of these units? If MFA is enabled for the users what else do you want? Administrators dont have access to everyone MFA device, how exactly is everyone supposed to update certificates, make deployment changes etc.? Fix all the nonsense with the Connect client and then do this, this is common sense.

Children