The adoption rate of our new Sophos Firewall v19.5 firmware continues to be our fastest ever, with nearly half of our massive install base already running the latest major release.
We are pleased to announce the availability of our second major maintenance update to v19.5 with this release.
Important Security and Hardening Enhancements
With this release, we are implementing two security enhancements that help harden your customers’ firewall and follow industry best-practices for the protection of their firewall from attacks.
These changes affect Web Admin and User Portal Access from the WAN:
Web Admin access for specific IPs:
- We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of firewalls be performed through Sophos Central which is free for all customers.
- However, if customers absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.
- There is no impact for existing deployments: Web admin access if already enabled from all WAN sources continues to work even after customers upgrade onto v19.5 MR2 except if it is no longer being used (see next point). However, as mentioned above, we strongly encourage customers to disable this or at least use the new ACL exception rule to improve their security posture.
Web Admin or User Portal Access from all WAN sources (Internet) disabled after 90 consecutive days of inactivity:
- Many customers have setup WAN access to the web admin console and/or User Portal long ago, do not use it, and have forgotten about it, leaving their firewalls potentially exposed to a brute force or reconnaissance attacks from the Internet.
- v19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity.
- Access configured using the new ACL exception rule will NOT be disabled even after 90 days of inactivity.
- There is no impact for existing deployments with active usage. If customers have Web admin or User portal access enabled from all WAN sources, access to these portals will remain unaffected as long as there is activity at least every 90 days.
Be sure to check out our recent article on Best Practices for Securing Your Firewall
New How-To Guides
- Routing and NAT configuration for IPsec: New how-to tutorials are linked directly from the relevant section of the product to help with IPsec deployments including use cases such as system generated DHCP relay traffic, authentication traffic, and traffic to a host through existing IPsec tunnel.
- Dynamic Routing: Now supports up to 4K multicast groups for added scalability in the dynamic routing deployments. This eliminates any issues related to dynamic routing failing to join multicast groups.
- SD-RED: A new banner is added to notify admins about the approaching EoL (End-of-Life) for legacy RED 15(w) and RED 50 devices. Customers should upgrade their RED devices to the latest models with higher performance and improved connectivity.
Check out the v19.5 MR2 release notes for full details.
How to get it
Sophos Firewall OS v19.5 MR2 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that they have all the latest security fixes and feature updates.
This firmware release will follow our standard update process. Customers can manually download SFOS v19.5 MR2 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your customers’ local device or Sophos Central management console when the update is available, allowing them to schedule the update at their convenience.
Sophos Firewall OS v19.5 MR2 is a fully supported upgrade from all previous versions of v19.5, all previous versions of v19.0 including the latest v19.0 MR2 and all previous versions of v18.5 including the latest v18.5 MR5. Please refer to the Upgrade Information tab in the release notes for more details.
Full product documentation is available online and within the product.