Following a very busy and successful early access program, the Sophos Firewall team is pleased to announce that v21.5 is now available to all licensed Sophos partners and customers bringing an industry-first innovation – integrating Network Detection and Response (NDR) – enhancing active threat detection on your network.

What’s New Overview

Watch this video, review the What’s New Guide, or consult the Release Notes:

 

An Industry First Innovation – NDR Essentials

Sophos is the first to integrate an NDR solution with a firewall, further extending Sophos Firewall’s advantages with XDR and MDR use cases. We’ve taken the novel approach of implementing NDR in the Sophos Cloud to offload all analysis processing from the firewall, eliminating any performance hit. We’re calling this NDR Essentials, and the best part is, we’re enabling this for all XGS Series firewall customers who have the Xstream Protection license bundle – at no extra charge.

How NDR Essentials Works:

Sophos Firewall’s XGS Series captures meta data from TLS encrypted traffic and DNS queries and sends that information to NDR Essentials in the Sophos Cloud where the data is analyzed using multiple AI engines.  It can detect malicious encrypted payloads without performing TLS decryption. This addresses a huge blind spot in most organizations where man-in-the-middle TLS inspection is not being used for performance, usability, or security reasons.  In addition, NDR Essentials domain generation algorithm detects new and suspect domains generated by malware that are often a key indicator of compromise and in many cases, can detect new c2 domains before they are even registered.

The meta data extraction is performed by a new lightweight engine implemented on the Xstream FastPath, and as a result, one caveat with this new capability is that it is only available on XGS Series hardware firewalls.  Virtual, software, and cloud firewalls may get this NDR Essentials integration capability in the future, but not in v21.5.

 

Demo Videos:

Read on for more details or watch these demo videos for deeper insights into how to make the most of the major new features and capabilities:

• NDR Essentials
• Entra ID SSO for Remote Access VPN
• DNS Protection
• Streamlined Management Enhancements

 

Other Enhancements and Top Requested Features

Entra ID (Azure AD) single sign-on for remote access VPN

One of your top requested features makes remote access VPN easier for end users, enabling them to use their corporate network credentials with the Sophos Connect client and the firewall VPN portal:

• Entra ID (Azure AD) single-sign on integration with Sophos Connect and the VPN portal is now included in SFOS v21.5
• It provides cloud-native integration over the industry standard OAuth 2.0 and OpenID Connect protocols for a seamless experience
• Supported with Sophos Connect client 2.4 (and later) on Microsoft Windows
• Other VPN and scalability enhancements

 

User interface and usability enhancements

Connection types have been renamed from “site-to-site” to “policy-based,” and tunnel interfaces have been renamed to “route-based” to make these more intuitive

• Improved IP lease pool validation: Across SSLVPN, IPsec, L2TP, and PPTP remote access VPN to eliminate potential IP conflicts
• Strict profile enforcement: On IPsec profiles that exclude default values to ensure a successful handshake, eliminating potential packet fragmentation and tunnels failing to establish properly
• Route-based VPN scalability: Route-based VPN capacity is doubled with support for up to 3,000 tunnels
• SD-RED scalability: Sophos Firewalls now support up to 1,000 site-to-site RED tunnels and up to 650 SD-RED devices.

 

Sophos DNS Protection

Last year, we launched our DNS Protection service and made it free for all Xstream Protection-licensed firewall customers. With this release, Sophos DNS Protection gets further integration with Sophos Firewall:

• New control center widget to indicate service status
• New troubleshooting insights via logging and notifications
• New guided tutorial on how to set up Sophos DNS Protection easily

 

Streamlined management and quality-of-life enhancements

As with every Sophos Firewall release, this version includes several quality-of-life enhancements that make day-to-day management easier:

• Resizable table columns: A long-requested feature, many firewall status and configuration screens now support resizable column widths that are retained in browser memory for subsequent visits. Many screens such as SD-WAN, NAT, SSL, Hosts and services, and site-to-site VPN, all benefit from this new feature.
• Extended free text search: SD-WAN routes now enable searching by route name, ID, objects, and object values like IP addresses, domains, or other criteria. Local ACL rules also now support searching by object name and value, including content-based search.
• Default configuration: By popular demand, the default firewall rules and rule group previously created when setting up a new firewall have been removed with only the default network rule and MTA rules provided during initial setup. The default firewall rule group and the default gateway probing for custom gateways are both set to “None” by default.
• New font: The Sophos Firewall user interface now sports a new lighter, cleaner, sharper font for added readability and improved performance

 

Other enhancements

• Virtual, software, cloud licensing: In case you missed it, all Sophos Firewall virtual, software, and cloud licenses (BYOL) no longer have RAM limits. Licenses are now strictly limited by core count and have no RAM restrictions.
• Larger file size limit in WAF: Supports a configurable request (upload) file size limit for Web Application Firewall (WAF), which can now scan files up to 1 GB
• Secure by design: We are continually improving the security of Sophos Firewall, and in this release are adding real-time telemetry gathering to flag any unexpected changes to core OS files using secure hash validation. This will enable our monitoring teams to proactively identify potential security incidents early before they can become a real problem.
• DHCP prefix delegation relaxation: Now supports /48 to /64 prefixes, improving interoperability with ISPs. Router advertisements (RA) and the DHCPv6 server are also now enabled by default.
• Path MTU discovery: This will resolve TLS decryption errors due to the latest ML-KEM (Kyber) key exchange support in browsers. The Sophos Firewall deep packet inspection engine will now automatically detect and adjust the MTU for each flow, ensuring optimal performance based on specific network conditions.
• NAT64 (IPv6 to IPv4 traffic): NAT64 is supported for IPv6 to IPv4 traffic in explicit proxy mode. In this mode, IPv6-only clients can access IPv4 websites. The firewall also supports IPv4 upstream proxy for IPv6-only clients.

 

How to get v21.5

As with every firewall release, Sophos Firewall v21.5 is a free upgrade for Sophos Firewall customers with Enhanced or Enhanced Plus Support and should be applied to all supported firewall devices as soon as possible. This release not only contains great features and performance enhancements, but also important security fixes.

This firmware release will follow our standard update process.

You can either wait until the firmware update notification appears in Sophos Central or your local device console or you can manually download the latest Sophos Firewall firmware from Sophos Central at any time.

Here’s a quick reminder on how to get the latest firmware from Sophos Central:

1. Log in to your Sophos Central account and select “Licensing” from the drop-down menu under your account name in the top right of the Sophos Central console.
   
2. Select Firewall Licenses on the top left of this screen.
   
3. Expand the firewall device you’re interested in updating by clicking the “>” to show the licenses and firmware updates available for that device.
   
4. Click the firmware release you want to download (note there is currently an issue with downloads working in Safari, so please use a different browser such as Chrome).
5. You can also click “Other downloads” in the same box above to access initial installers and software platform firmware updates.

The new v21.5 firmware will be gradually rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall v21.5 is a fully supported upgrade from any supported Sophos Firewall firmware version.

 

Thank you!

A special thank you to all our dedicated partners and customers, especially those who helped make this release the best it could be by participating in the Early Access Program… Thank you!