by

Sophos 18 Mr1



XG Firewall v18 MR1 is now rolling out globally, bringing new levels of visibility, protection and performance to your customers. When the notification for the latest firmware update appears in the console, we strongly encourage everyone to take advantage of the easy process to upgrade with just a few clicks. If you haven’t already done so, now is the time to upgrade your customer’s XG Firewalls to v18.

As there are many great new features in XG Firewall v18, our blog series over the coming weeks will be highlighting the most important new capabilities such as the new Xstream Architecture, the new zero-day threat protection, Sophos Central Management and Reporting, and how you and your customers can get the most out of them.

XG Firewall v18 MR1 is now rolling out globally, bringing new levels of visibility, protection and performance to your customers. When the notification for the latest firmware update appears in the console, we strongly encourage everyone to take advantage of the easy process to upgrade with just a few clicks. Upgrading to v18 MR1 is seamless from v17.5 MR6 and above and from any other v18 release version. You will soon start seeing the new release appear in your console with a firmware upgrade notification, but you don’t need to wait, you can grab the new release anytime from the MySophos Licensing Portal: Upgrade Today! Upgrading to v18 MR1 is seamless from v17.5 MR6 and above, and from any other v18 release version. XG Firewall customers will soon start seeing the new release appear in their console with a firmware upgrade notification. However, for customers that don’t want to wait, they can initiate the upgrade manually anytime.

: Roll out of a first automatic hotfix by Sophos. 23:55 UTC: Reported a possible bypass for the added security measurements in the hotfix.: Second hotfix released by Sophos which disables the pre-auth email quarantine release feature. June 2020: Release of firmware 18.0 MR1-1 which contains a built-in fix.

Xstream Architecture

One of the flagship features in v18 is the new Xstream Architecture which includes a streaming DPI engine and TLS 1.3 inspection for encrypted traffic.

How is this architecturally different to the legacy web proxy solution? Put simply, the new Xstream DPI engine is specifically designed to achieve optimal performance and connection handling efficiency. It uses a single streaming engine that inspects traffic between a host on the network and an external server or service. This provides all the essential protection in a single pass:

  • File and web malware scanning
  • Intrusion Prevention (IPS) or attempts to exploit network vulnerabilities
  • Application identification and control

By stream scanning files as they are downloaded from web servers, it can pass the content along to the end user while only holding the last portion of the file to complete the scan before either blocking the download or allowing the last packets to flow through. It does not need to hold the entire file while it’s being scanned.

And it’s FAST! How Fast? Many XG Firewall customers and partners have reported that the new DPI engine and TLS inspection are anywhere from two to three times faster than before.

Unlike the Xstream DPI engine, legacy protection in XG Firewall utilizes different engines for different jobs. There is a web proxy for inspecting and filtering web content, an IPS engine, and an application control solution. Rather than stream scanning as traffic flows through, the web proxy acts as a relay between the client and the external server. This has an advantage when packet header modifications need to be made to support features such as SafeSearch, YouTube restrictions, or Google domain restrictions as only the legacy web proxy can support these features, but in all other cases, it just means it’s handling more connections and doing more work.

Making the Most of the new Xstream DPI Engine and TLS Inspection

When upgrading XG Firewall to v18, all existing firewall rules will be using the legacy web proxy by default, to ensure seamless upgrade compatibility. If features like SafeSearch, YouTube restrictions or Google domain restrictions, are not required the firewall rules should be switched to using the new Xstream DPI engine. It requires a change to a single setting:

This setting determines if the firewall is using the legacy web proxy (checked) or the new Xstream DPI engine (unchecked).

By switching many firewall rules over to the new Xstream DPI Engine, you can see a tremendous performance benefit.

Taking advantage of the new TLS inspection engine with support for TLS 1.3 is also simple to configure – it essentially requires checking one box in your firewall to activate it and then creating a rule on the new SSL/TLS Inspection Rules tab as shown below.

As with any TLS inspection solution, the appliance CA certificate will need to be deployed to hosts on the network to support the firewall inspection. We recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this quick and easy.

TLS rules define what TLS traffic to decrypt and the associated decryption profile governs how to handle the decryption as well as protocol and cipher enforcement. The rules are structured and work identically to how firewall rules function in a top-down hierarchy.

We recommend starting gradually with TLS encryption, with a limited network sub-estate or a few test systems. This will allow you to build expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error handling options. Not all applications and servers fully and properly support TLS inspection so watch the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services.

Sophos 18 mr1 download

Once comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across your customer networks. However, with encrypted traffic volumes now at over 80% of all internet traffic, keep in mind that TLS Inspection is resource intensive due to the nature of the decryption/encryption algorithms. If a customer’s XG Firewall appliance is a few years old and already running at high load, it may be time for a hardware refresh or a new higher-performance model. Enabling TLS inspection on most internet traffic is now essential protection against the latest ransomware and threats as more and more hackers make use of TLS encryption to get onto networks and stay there undetected.

To learn more, the following resources are available to help make the most of the new features in XG Firewall v18:

Selling XG Firewall

On the Sophos partner portal, we provide you with a wealth of sales assets. You may filter the list of assets by selecting a category to narrow down the results. And don’t forget to check whether there is a sales promotion available for your region. It’s worth checking back from time to time to make sure you’re not missing out on a great opportunity!

Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:

RELEASE NOTES from Sophos:

Enhancements in v18 MR-3

Security enhancements:

  • Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
  • Granular option to enable/ disable captcha authentication from CLI

VPN Remote Access enhancements:

Sophos Xg 18 Mr1

Sophos xg 18 mr1 release
  • Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
  • Group support for Sophos Connect VPN client

Cloud – AWS/ Azure/ Nutanix enhancements:

  • Support for newer AWS instances – C5/ M5 and T3 (#)
  • Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
  • Virtual WAN Zone on custom gateway for post deployment single arm usage
    • On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
  • XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
  • Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.

(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)

Central management enhancements:

Sophos 18 Mr3

  • XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
  • Audit trail went live under the task queue
Sophos 18 mr1 download

Central Firewall Reporting enhancements:

Sophos xg 18 mr1
  • Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.

Issues Resolved:

  • 34 field reported issues including RED & HA cluster issues (list below)

Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.

Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.

We also have a new Sophos Techvids site for XG Firewall v18.

Get it now!

Sophos 18 Mr1

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.

Sophos 18 Mr1 Download

For fresh installations, the download links will be updated right here very soon.

Things to know before upgrading

You can upgrade from SFOS 17.5 (MR6 to MR14-1) to v18 MR-3. Check out the relevant sections of the XG v18 release notes for details on:

Issues Resolved in v18 MR-3

Sophos Xg 18 Mr1 Release

  • NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
  • NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
  • NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
  • NC-54542 [Email] Email banner is added to incoming emails
  • NC-59396 [Email] Blocked senders are able to send the mails
  • NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
  • NC-58356 [Firewall] Direct proxy traffic doesn’t work when RBVPN is configured.
  • NC-58402 [Firewall] Firewall reboots randomly.
  • NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
  • NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
  • NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
  • NC-59063 [Firmware Management] Remove expired CAs from SFOS
  • NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
  • NC-62850 [HA] Filesystem oddity in /conf
  • NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
  • NC-58416 [IPsec] IKE SA Re keying won’t be re-initiate itself after re-transmission time out of 5 attempts
  • NC-58499 [IPsec] Sophos Connect Client ”IP is supposed to be added in the “##ALL_IPSEC_RW “
  • NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
  • NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
  • NC-55698 [nSXLd] Not able to add new domain in custom category
  • NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
  • NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
  • NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
  • NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
  • NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
  • NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
  • NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
  • NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
  • NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
  • NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
  • NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
  • NC-58960 [Up2Date Client] HA: IPS service observed DEAD
  • NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
  • NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly

Here are some direct links to helpful resources:

  • Customer Training Portal (free Delta Training)

Source: https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3

Sophos Xg Firewall 18 Mr1

Related Posts