Related
Recommended
Chris McCormack
Sophos Firewall v19.5 Early Access

We are pleased to announce that the Early Access Program (EAP) is now underway for the latest and greatest Sophos Firewall OS release. This update to Sophos Firewall brings a number of exciting enhancements and top requested features.

Xstream SD-WAN

  • SD-WAN Load Balancing builds on the powerful SD-WAN capabilities introduced in v19 to add load balancing across multiple SD-WAN links for added performance and redundancy.
  • IPSec VPN Capacity is also significantly increased enabling up to double the number of concurrent tunnels depending on your XGS Series model.
  • Dynamic Routing with OSPFv3 (IPv6) which has been one of our top requested features bringing enhanced routing, flexibility, security, and performance.

Xstream Protection and Performance

  • Xstream FastPath Acceleration of TLS encrypted traffic takes advantage of the hardware crypto capabilities in the Xstream Flow Processor to accelerate TLS encrypted traffic flows on the FastPath on the XGS 4300, 4500, 5500, and 6500. This provides added headroom and performance for traffic that requires deep-packet inspection.



High Availability

  • Several Status, Visibility and Ease-of-Use Enhancements improve the operation of high availability (HA) configurations.
  • Redundant Link Support enables your high availability devices to be connected with multiple redundant HA links to add resiliency and reliability.

Quality of Life Enhancements

  • Host and Service Object Search enables you to perform free text searches for host and service objects by name or value.
  • Enhanced .log file storage enables advanced troubleshooting.
  • Azure AD SSO for for web console and UI login offers an alternate and easier method of authentication.
  • Enhanced 40G Interface Support – including auto-detection of advanced port configurations including link mode and Auto-negotiation. Also, supports breakout of 40G IF in XGS 5500/ 6500 into 4 x 10G interface using DAC or Fibre breakout cables.

Get the Full List of What’s New

Download the full What’s New guide for a complete overview of all the great new features and enhancements in v19.5.

Getting Started

Please visit the SFOS v19.5 EAP registration page to get started.

Sophos Firewall OS v19.5 EAP1 is a fully supported upgrade from any v18.5 firmware as well as v19, including the very recent v19 MR1 build 365.

Once you’re up and running, please provide feedback through your Sophos Firewall’s feedback mechanism (top right of every screen on your Firewall). Also visit our EAP community forums to share your experience with others.

Note: Please do not call Sophos Support for issues related to the EAP. Troubleshooting and support for all EAP versions is handled solely through the online Sophos Community EAP forums.

Parents
  • in reply to TheBalmasque

    For XGS Hardware:

    For SSLVPN: AES-NI has been enabled since v19 and stays enabled in v19.5 as well. The performance boost that we observed after v19 is partially due to AES-NI path enablement for SSL.

    For IPsec: AES-NI has been used for quite sometime. Speaking of hardware acceleration, v19 uses Xstream flow processor to offload IPsec traffic onto a dedicated 2nd CPU. That was the reason of 5x IPsec throughput improvement by upgrading the firmware to v19 or later.

    The same has been published in the Release notes and the what's new content for v19.

    For Software appliance:

    It may or may not work depending on the underlying HW specs.

  • in reply to PMParth

    I can confirm OpenSSL has Aes-ni enabled now.

    SFVH_SO01_SFOS 19.5.0 EAP1-Build144# openssl speed -elapsed aes-128-cbc
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128 cbc for 3s on 16 size blocks: 25156274 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 6823083 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 256 size blocks: 1737810 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 1024 size blocks: 437998 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 54792 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 16384 size blocks: 27401 aes-128 cbc's in 3.00s
    OpenSSL 1.1.1q 5 Jul 2022
    built on: Thu Sep 15 23:56:19 2022 UTC
    options:bn(64,32) rc4(8x,mmx) des(long) aes(partial) blowfish(ptr)
    compiler: ccache_cc -m32 -fPIC -pthread -m32 -Wa,--noexecstack -Wall -O3 -fomit-frame-pointer -pipe -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wformat -Werror=format-security -fstack-protector-all -Wl,-z,now -Wl,-z,relro -Wall -pipe -D_FORTIFY_SOURCE=2 -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
    aes-128 cbc 134166.79k 145559.10k 148293.12k 149503.32k 149618.69k 149645.99k
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144# openssl speed -elapsed -evp aes-128-cbc
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128-cbc for 3s on 16 size blocks: 69935336 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 64 size blocks: 27822194 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 256 size blocks: 8170176 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 1024 size blocks: 2132884 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 8192 size blocks: 270640 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 16384 size blocks: 135446 aes-128-cbc's in 3.00s
    OpenSSL 1.1.1q 5 Jul 2022
    built on: Thu Sep 15 23:56:19 2022 UTC
    options:bn(64,32) rc4(8x,mmx) des(long) aes(partial) blowfish(ptr)
    compiler: ccache_cc -m32 -fPIC -pthread -m32 -Wa,--noexecstack -Wall -O3 -fomit-frame-pointer -pipe -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wformat -Werror=format-security -fstack-protector-all -Wl,-z,now -Wl,-z,relro -Wall -pipe -D_FORTIFY_SOURCE=2 -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
    aes-128-cbc 372988.46k 593540.14k 697188.35k 728024.41k 739027.63k 739715.75k

Comment
  • in reply to PMParth

    I can confirm OpenSSL has Aes-ni enabled now.

    SFVH_SO01_SFOS 19.5.0 EAP1-Build144# openssl speed -elapsed aes-128-cbc
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128 cbc for 3s on 16 size blocks: 25156274 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 6823083 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 256 size blocks: 1737810 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 1024 size blocks: 437998 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 54792 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 16384 size blocks: 27401 aes-128 cbc's in 3.00s
    OpenSSL 1.1.1q 5 Jul 2022
    built on: Thu Sep 15 23:56:19 2022 UTC
    options:bn(64,32) rc4(8x,mmx) des(long) aes(partial) blowfish(ptr)
    compiler: ccache_cc -m32 -fPIC -pthread -m32 -Wa,--noexecstack -Wall -O3 -fomit-frame-pointer -pipe -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wformat -Werror=format-security -fstack-protector-all -Wl,-z,now -Wl,-z,relro -Wall -pipe -D_FORTIFY_SOURCE=2 -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
    aes-128 cbc 134166.79k 145559.10k 148293.12k 149503.32k 149618.69k 149645.99k
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144#
    SFVH_SO01_SFOS 19.5.0 EAP1-Build144# openssl speed -elapsed -evp aes-128-cbc
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128-cbc for 3s on 16 size blocks: 69935336 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 64 size blocks: 27822194 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 256 size blocks: 8170176 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 1024 size blocks: 2132884 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 8192 size blocks: 270640 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 16384 size blocks: 135446 aes-128-cbc's in 3.00s
    OpenSSL 1.1.1q 5 Jul 2022
    built on: Thu Sep 15 23:56:19 2022 UTC
    options:bn(64,32) rc4(8x,mmx) des(long) aes(partial) blowfish(ptr)
    compiler: ccache_cc -m32 -fPIC -pthread -m32 -Wa,--noexecstack -Wall -O3 -fomit-frame-pointer -pipe -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wformat -Werror=format-security -fstack-protector-all -Wl,-z,now -Wl,-z,relro -Wall -pipe -D_FORTIFY_SOURCE=2 -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
    aes-128-cbc 372988.46k 593540.14k 697188.35k 728024.41k 739027.63k 739715.75k

Children
No Data
Unfiltered HTML