Sophos (XG) Firewall v18 MR5 (Build 586) is Now Available

We have fixed 4 important issues in the earlier v18 MR5 build; and have released another build for v18 MR5 (Build 586). We will continue calling this release as v18 MR5; And we have added build number in the release name on the web UI and SSH for easy identification, "v18 MR5-Build586".

Sophos Firewall devices that are already running the earlier v18 MR5 (Build 574) can upgrade to the new firmware (Build 586) with configuration migration supported.

Issues fixed in v18 MR5 Build 586:

  1. Fixed migration issue when multiple SNMP communities are configured (NC-71491)
  2. Fixed Sophos Connect Client download from user portal for MAC & Windows (NC-71456)
  3. Fixed Sophos Connect for the pre-shared key of length of 128 or more characters (NC-71582)
  4. Fixed Show pre-shared key on UI for IPSec remote access and L2TP (NC-72172)

The full v18 MR5 release is packed with many enhancements and more than 55 issues resolved. Please find more details in the original release post below.

XG Firewall v18 Maintenance Release 5 (MR5) is packed with enhancements to performance, security, reliability and central reporting.  With v18 MR5, we have published XG firewall integration for azure active directory and azure virtual WAN.

What's new in v18 MR5:

VPN Enhancements

  • A huge 50% increase in concurrent IPSec VPN tunnel capacity (learn more)
  • Port 443 sharing between SSL VPN and the Web Application Firewall (WAF)
  • IPSec provisioning file support for remote access via Sophos Connect v2.1


  • Integration with Azure Virtual WAN for a complete SD-WAN overlay network (learn more)


  • Integration with Azure Active Directory (learn more)

Certificate Management and Security

  • Form enhancements for creating certificate signing requests and certificates
  • Enhanced security for private keys
  • Upload/download support for PEM format certificates
  • Enhanced workflows for certificate management

Synchronized Security

  • Enhanced registration and de-registration in high-availability (HA) installations
  • Missing Heartbeat enhancements to reduce notifications sent for intended/expected changes in endpoint status

Sophos Central Firewall Reporting

  • New Cloud Application (CASB) report
  • MSP Flex Pricing for MSP partners

Issues resolved in v18 MR5

  • 50+ field reported issues have been resolved

More info available here: v18 MR5 release notes

Upgrade as soon as possible

While we always encourage you to keep your firewalls up to date with the latest firmware, over the next few months we are recommending you rapidly apply maintenance releases to ensure you have all the important security, performance, and feature enhancements applied as soon as possible.

Also ensure you have automatic pattern updates enabled so that you can be assured you have the latest protection updates.

XG Firewall v18 MR5 is an easy and fully supported upgrade from XG Firewall v17.5 MR6+ (including the latest v17.5 MR15 release). Please refer to the Upgrade information tab in the release notes for more details.

How to get it

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled out automatically to all systems over the coming weeks, but you can access the firmware anytime to do a manual update through the Licensing Portal.  Please refer to the documentation for more information on how to apply firmware updates.

Learning more about upgrading to XG Firewall v18

And if you still haven’t upgraded to v18, or are still exploring many of the new features, be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18:

Also check out our new and improved Sophos Community XG Firewall home page! Subscribe to the XG Blog for the latest news and releases, get expert answers to your technical questions, and find useful Community-created content in our "Recommended Reads" section!

  • I am completely fine with that! That is so much better than (in the worst case) bricking some XGs around the world.

    But again - I really miss that official info somewhere at this page. I would just like to know, whether it is ok, that non of our XGs is showing the release. As a partner, I am missing a central view across all appliances. So our day to day job at the moment is reviewing, whether *some* of the appliances already got the update available.

    As said - it is ok if the release phase is delayed. I would expect that the text block is updated accordingly. If you can't tell when the next phase should start, just write that down. 

    I would say, the best possible solution for me would be an additional note in Sophos Central at the Firewall Management (or the firewall itself), that there is a release available for manual download combined with a "you should expect this update to be available on [date]".
    With that, I am able to review several things at once: I can see, that the communication between the update server and the appliance works. I can see, that I am not part of the release yet. I can have a date, where I would come back to the appliance and discuss possible time slots for installation with a customer/internally.

    I don't want to rant here - I just want to make clear, that at least my collogues and myself are not aware, what's going on atm. We know, that there is a pending release, we know, that there was an fix for that release, but still nobody knows, in which release phase we are in. Please don't take this as a personal criticism - I just want to get rid of what information I would expect as a customer in the updates.

    I would also like to think that this post is not necessarily the best one to really discuss. I just want to get rid of my open, honest (and hopefully constructive) feedback. If you'd like to discuss it again, though, I'd be happy to :)

  • i have to agree with you. A few more information about what phase we are in would be nice. Sophos, it is just about to be a little bit more transparent to your customers.

  • Those information are currently under review, because of Stuff like Re Releases. This will delay the entire release phase. 

  • Same here for several appliances. As said before - I would just like to have the option to review, whether an appliance *should* show me the update. At least for me, a message like "a newer firmware is available - but we are still in a staged release" or an text box above like
    - DONE: Phase 1
    - CURRENT: Phase 2 - Update is available on some appliance 
    - NEXT: Phase 3 - Update will available on all appliances
    (next update on date x)

    would make it much clearer for me.

    Or am I just oversee something and this information is available somewhere?

  • Yes i saw that. But i have made bad experiences with manually uploading firmware to our cluster and reboot with new firmware manually. When using the automated firmware and upgrade feature the pain was there but not so big like installing firmware manually...