Sophos Firewall v21.5 is now accessible – Sophos Information

Following a really busy and profitable early entry program, the Sophos Firewall staff is happy to announce that v21.5 is now accessible to all licensed Sophos companions and prospects.

This launch brings an industry-first innovation: integrating Community Detection and Response (NDR), which reinforces energetic menace detection in your community.

What’s new overview

Watch this temporary video for an outline of the discharge highlights:

Be taught extra

Watch these demo movies for deeper insights into tips on how to profit from the main new options or seek the advice of the earlier collection of articles on this launch:

Moreover, assessment the What’s New Information, seek the advice of the Launch Notes, or learn on for extra particulars.

Full particulars

An {industry} first innovation: NDR Necessities

Sophos is the primary to combine an NDR answer with a firewall, additional extending Sophos Firewall’s benefits with XDR and MDR use circumstances.

We’ve taken the novel strategy of implementing NDR within the Sophos Cloud to dump all evaluation processing from the firewall, eliminating any efficiency hit.

We’re calling this NDR Necessities, and the very best half is, we’re enabling this for all XGS Collection firewall prospects who’ve the Xstream Safety license bundle – at no additional cost.

How NDR Necessities works

Sophos Firewall’s XGS Collection captures meta knowledge from TLS encrypted site visitors and DNS queries and sends that data to NDR Necessities within the Sophos Cloud the place the information is analyzed utilizing a number of AI engines.

It may detect malicious encrypted payloads with out performing TLS decryption. This addresses an enormous blind spot in most organizations the place man-in-the-middle TLS inspection is just not getting used for efficiency, usability, or safety causes.

As well as, the NDR Necessities area technology algorithm detects new and suspect domains generated by malware which are typically a key indicator of compromise. In truth, in lots of circumstances, NDR Necessities can detect new C2 domains earlier than they’re even registered.

The meta knowledge extraction is carried out by a brand new light-weight engine carried out on the Xstream FastPath, and consequently, one caveat with this new functionality is that it’s only accessible on XGS Collection {hardware} firewalls. Digital, software program, and cloud firewalls could get this NDR Necessities integration functionality sooner or later, however not in v21.5.

NDR-E — NDR Necessities is straightforward to arrange and use from the Lively Risk Response part of the product.

Different enhancements and prime requested options

Entra ID (Azure AD) single sign-on for distant entry VPN

One among your prime requested options makes distant entry VPN simpler for finish customers, enabling them to make use of their company community credentials with the Sophos Join shopper and the firewall VPN portal:

Entra ID (Azure AD) single-sign on integration with Sophos Join and the VPN portal is now included in SFOS v21.5
It offers cloud-native integration over the {industry} commonplace OAuth 2.0 and OpenID Join protocols for a seamless expertise
Supported with Sophos Join shopper 2.4 (and later) on Microsoft Home windows
Different VPN and scalability enhancements

Person interface and usefulness enhancements

Connection varieties have been renamed from “site-to-site” to “policy-based,” and tunnel interfaces have been renamed to “route-based” to make these extra intuitive.

Improved IP lease pool validation: Throughout SSLVPN, IPsec, L2TP, and PPTP distant entry VPN to get rid of potential IP conflicts
Strict profile enforcement: On IPsec profiles that exclude default values to make sure a profitable handshake, eliminating potential packet fragmentation and tunnels failing to ascertain correctly
Route-based VPN scalability: Route-based VPN capability is doubled with assist for as much as 3,000 tunnels
SD-RED scalability: Sophos Firewalls now assist as much as 1,000 site-to-site RED tunnels and as much as 650 SD-RED units.

Sophos DNS Safety

Final yr, we launched our DNS Safety service and made it free for all Xstream Safety-licensed firewall prospects. With this launch, Sophos DNS Safety will get additional integration with Sophos Firewall.

New Management Heart widget to point service standing
New troubleshooting insights by way of logging and notifications
New guided tutorial on tips on how to arrange Sophos DNS Safety simply

Streamlined administration and quality-of-life enhancements

As with each Sophos Firewall launch, this model contains a number of quality-of-life enhancements that make day-to-day administration simpler.

Resizable desk columns: A protracted-requested characteristic, many firewall standing and configuration screens now assist resizable column widths which are retained in browser reminiscence for subsequent visits. Many screens corresponding to SD-WAN, NAT, SSL, Hosts and providers, and site-to-site VPN all profit from this new characteristic.
Prolonged free textual content search: SD-WAN routes now allow looking by route identify, ID, objects, and object values like IP addresses, domains, or different standards. Native ACL guidelines additionally now assist looking by object identify and worth, together with content-based search.
Default configuration: By fashionable demand, the default firewall guidelines and rule group beforehand created when establishing a brand new firewall have been eliminated, with solely the default community rule and MTA guidelines supplied throughout preliminary setup. The default firewall rule group and the default gateway probing for customized gateways are each set to “None” by default.
New font: The Sophos Firewall consumer interface now sports activities a brand new lighter, cleaner, sharper font for added readability and improved efficiency

Different enhancements

Digital, software program, cloud licensing: In case you missed it, all Sophos Firewall digital, software program, and cloud licenses (BYOL) not have RAM limits. Licenses are actually strictly restricted by core depend and don’t have any RAM restrictions.
Bigger file measurement restrict in WAF: Helps a configurable request (add) file measurement restrict for Net Utility Firewall (WAF), which might now scan information as much as 1 GB
Safe by design: We’re regularly bettering the safety of Sophos Firewall, and on this launch are including real-time telemetry gathering to flag any sudden modifications to core OS information utilizing safe hash validation. It will allow our monitoring groups to proactively determine potential safety incidents early earlier than they will grow to be an actual drawback.
DHCP prefix delegation rest: Now helps /48 to /64 prefixes, bettering interoperability with ISPs. Router ads (RA) and the DHCPv6 server are additionally now enabled by default.
Path MTU discovery: It will resolve TLS decryption errors because of the newest ML-KEM (Kyber) key trade assist in browsers. The Sophos Firewall deep packet inspection engine will now mechanically detect and alter the MTU for every stream, making certain optimum efficiency based mostly on particular community situations.
NAT64 (IPv6 to IPv4 site visitors): NAT64 is supported for IPv6 to IPv4 site visitors in express proxy mode. On this mode, IPv6-only purchasers can entry IPv4 web sites. The firewall additionally helps IPv4 upstream proxy for IPv6-only purchasers.

Learn how to get v21.5

As with each firewall launch, Sophos Firewall v21.5 is a free improve for Sophos Firewall prospects with Enhanced or Enhanced Plus Assist and must be utilized to all supported firewall units as quickly as potential. This launch not solely accommodates nice options and efficiency enhancements, but additionally vital safety fixes.

Sophos Firewall v21.5 is a totally supported improve from any supported Sophos Firewall firmware model.

This firmware launch will observe our commonplace replace course of. The brand new v21.5 firmware might be step by step rolled out to all linked units over the approaching weeks. A notification will seem in your native machine or Sophos Central administration console when the replace is on the market, permitting you to schedule the replace at your comfort.

You possibly can both wait till the firmware replace notification seems in Sophos Central or your native machine console, or you may manually obtain the newest Sophos Firewall firmware from Sophos Central at any time.

Right here’s a fast reminder about tips on how to get the newest firmware from Sophos Central:

1. Log in to your Sophos Central account and choose “Licensing” from the drop-down menu underneath your account identify within the prime proper of the Sophos Central console.

2. Choose Firewall Licenses on the highest left of this display screen.

3. Increase the firewall machine you’re serious about updating by clicking the “>” to point out the licenses and firmware updates accessible for that machine.

4. Click on the firmware launch you need to obtain (notice there may be at present a problem with downloads working in Safari, so please use a special browser corresponding to Chrome).

5. You too can click on “Different downloads” in the identical field above to entry preliminary installers and software program platform firmware updates.

Once more, the brand new v21.5 firmware might be step by step rolled out to all linked units over the approaching weeks. A notification will seem in your native machine or Sophos Central administration console when the replace is on the market, permitting you to schedule the replace at your comfort.