Sophos V18

Posted on  by admin

Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here: RELEASE NOTES from Sophos: Enhancements in v18 MR-3. Security enhancements: Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details. A full walkthrough on setting up Sophos XG V18 from a fresh install to basic deployment very quickly. This will teach you what rules and settings are import. XG Firewall v18 Maintenance Release 4 (MR4) is packed with enhancements to performance, security, reliability, and the management experience. XG Firewall MR4 also enables great new Sophos Central Management capabilities. New Sophos Central enhancements New group policy import makes switching to Sophos Central from CFM or SFM quick and easy. Sophos (XG) Firewall v18: DPI vs. Web Proxy Filtering. An introduction to the XStream DPI Engine in XG Firewall v18 including the principles of operation and how and when to use the DPI engine vs the legacy proxy for web inspection. Skip ahead to these sections: 0:23 Differences between DPI and Web Proxy Filtering 2:39 Configuration in XG Firewall. XG Series Hardware Appliances 85/105/115/125/135 Rev. 3, 86/106 Rev.1.

XG V18 is now available!

That’s right folks, XG V18 is out! Let’s talk about what this means at a practical level for your customers. Firstly, this is the most rigorously tested release ever, and this really shows from the feedback we’ve had from the 200,000+ appliances in the field that have already upgraded. Secondly this release unifies our approach to public cloud security on both AWS and Azure platforms. Now that XG can run in both, all those great stories we have been telling customers about Synchronized Security in their office and Azure environments also apply to AWS too! That said, however, the biggest news is the new XStream architecture and how it can be used to solve real-world challenges network managers face. Shall we have a look at a few of those challenges?

Is encryption rendering my Firewall useless?

Traffic visibility has always been a challenge in a world where the number of applications continues to grow, and those applications constantly change and evolve. When you add encryption to the mix, this hides the traffic from the firewall in a private connection and it becomes almost impossible to keep on top of things. In a recent survey, we found that on average 43% of traffic on a network is unclassified and Google estimate that upwards of 80% of global internet traffic is encrypted. Now, allow me to be transparent and state that that ability to inspect SSL traffic on a firewall is nothing new. We’ve been doing it for years, and so have our competition. And yet in 97% of cases where SSL decryption could be enabled, it isn’t leading to massive potential blind spots.

You might be asking “now why is this?” And rightly so. The reasons come down to two factors: performance and usability. The new XStream architecture is specifically designed to maximize firewall throughput by intelligently passing traffic to the areas of scanning that need to be used, while bypassing unnecessary scans. This boosts performance, but also critically it frees up resources that allow the XG Firewall to undertake the heavy lift required to inspect more SSL connections, solving the performance challenge. The next battle is usability, which again is solved by the new architecture. We have decoupled the SSL inspection engine from the web proxy, so we can inspect SSL traffic regardless of what port is in use and the latest TLS 1.3 standard is supported to boost compatibility. Even with these changes though, some applications simply cannot support SSL inspection. This might be because of techniques, like for example certificate pinning. This tends to lead admins to simply turn off SSL inspection wholesale rather than risk the wrath of their users when applications start breaking. XG V18 changes things, because we can quickly show an admin what SSL connections are failing, and why, as well as offering simple one-click remediation of these issues. This allows an admin to enable SSL inspection with confidence, knowing the XG can handle the performance demands and reliably inform when things go wrong and config changes need to be implemented.

The threat landscape is evolving and my protection can’t keep up.

Sophos has long been at the forefront in the battle against new and unknown threats, and this is most clearly demonstrated through the innovative features in our Intercept X endpoint protection. XG V18 brings the best of this technology and incorporates into the network layer, making the XG a more compelling purchase, either standalone or as part of a layered defense strategy. We’re calling this addition ‘Threat Intelligence’ and it will run in parallel with our already proven Sandstorm runtime analysis sandboxing service. The Threat Intelligence Analysis utilizes multiple threat modeling techniques, using deep learning and artificial intelligence to analyze various characteristics and genetics of the file compared to millions of known good and bad files. It provides a very accurate assessment of any new file in just seconds. Sandstorm and Threat Intelligence make a formidable pair when analyzing previously unseen files for evidence they are malicious in order to keep the latest threats off the network.

Sandstorm has also gone through significant enhancements. Firstly, remember that the virtual endpoints are covered with our award-winning Intercept ‘X” protection suite, leading to a high rate of conviction. In addition, we have incorporated technologies from our EDR platform to expose the machine learning decision tree in an overhauled Sandstorm threat report. This allows an admin to look at the decision coming from Sandstorm and what has influenced it. For example: a file lacking an icon or packed in a particular way. Finally, in an industry first, Sandstorm reports show actual screenshots of the sandbox environment as the malware carries out its nefarious deeds, shining a spotlight into a previous black box process.

My business relies on cloud-applications, efficient bandwidth usage and constant uptime.

We have looked at software-defined networking or SD-WAN in previous articles. But with V18 all of those great capabilities gain their own configuration page, making our intentions in this space crystal clear. The capabilities of traffic routing are incredibly comprehensive, empowering admins to throttle and route traffic based on source, application, and destination and defining how to handle failure states. An enterprise may leverage an array of internet connectivity modes including leased-line, MPLS, DSL, and cellular services knowing they will be utilized with maximum efficiency. And, being aware that in the event of outages, the highest priority traffic will always take precedence on whatever connection methods remain functional.

Multiple site enterprises are also well catered to. Remember the XG is replete with site-to-site connectivity options such as SSL and IPSec VPN, as well as our unique RED technology, which can be used to link multiple XGs together or employed as a hardware solution for smaller branch offices. All of which are compelling alternatives to costly leased line or MPLS connectivity.

Finally, although not a new feature, Synchronized Application Control, whereby unknown applications are classified through endpoint to firewall collaboration, gains increased significance in light of the release of XG V18. Clearly any attempt to route or control traffic relies entirely on the ability to classify the application in question. Our unique power in this area to dynamically classify unknown apps means that even if an end user wants to control a bespoke application, this can be achieved when Sophos endpoint and firewall are brought together.

One more thing:

Although not strictly a part of the V18 release, it’s worth taking a moment to look at how Sophos Central and its links to XG are being strengthened. Since we first launched XG in Central, the team has added some great new features, such as backup and firmware management, the light-touch deployment option, and group firewall management. This feature in particular is great of multi-site customers or MSPs as it allows admins to manage an estate of firewalls as one, unifying policy, firmware updates, and more. And the best bit it that this service is free!

We have also launched Sophos Central reporting, bringing the power of the cloud and big-data analytics to bear on network activity and reporting with a full suite of powerful new reporting tools in Sophos Central for XG Firewall.

Hopefully you’ve found that article useful and it will enable you to position this exciting new release with your customers. I’ll leave you with some feedback from some of our early adopters:

“Being a part of the EAP was invaluable. Not only did we see the value in all of the enhancements, it gave us the confidence to upgrade 200 firewalls across our various customers immediately after it was available.“

“All I can say is my goodness it’s fast – much better performance.”

“I like it. It is fast. You have delivered a good release.”

“Memory use and CPU utilization has gone down by 30%”

“Performance is so much faster and management activities take less time.”

“HA fail over is much faster.”

“v18 gave us a significantly higher performance than I thought possible with our infrastructure. Teachers are now streaming 4K videos to their classes without issue. The changes to the management has greatly simplified our admin efforts making configuration and troubleshooting much easier.”

Thanks for reading.


This article describes how to configure SSL VPN Client to Site so that remote VPN users can access the enterprise File Server system remotely. Configuration is done on Sophos XG firewall device with firmware version 18


Summary of configuration steps

  1. Configure SSL VPN Client to Site on Sophos XG
    1. Create SSL VPN Group
    2. Create SSL VPN User
    3. Identifier for LAN network and SSL VPN network
    4. Configure authentication service for SSL VPN
    5. Open access port for SSL VPN
    6. Configure profile for SSL VPN Client
    7. Create firewall rule for communication between SSL VPN and LAN
    8. Access User Portal to install SSL VPN software
  2. Configure NAT port on Modem or Router
  3. Configure share file on File Server
  4. Result
Sophos V18

Configuration details

  1. Configure SSL VPN Client to Site on Sophos XG

Login to Sophos XG by Admin account

1.1 Create SSL VPN Group

** Configuring group creation for SSL VPN, it’s making easy for administrators to manage and user groups to apply policies according to the needs of the business

  • Authentication -> Choose Group -> Click Add
  • Create SSL VPN Group
    • Group Name: Enter name for SSL VPN
    • Surfing Quota: Select the network traffic you want
    • Access Time: Select the access time you want

-> Click Save

1.2 Create SSL VPN Users

Sophos v18 mr4
  • Authentication -> Choose Users -> Click Add
  • Create SSL VPN Users
    • Username: Enter VPN Username
    • Password: Enter SSL VPN user’s password
    • Email: Enter manager’s email
    • Group: Choose SSL VPN Group which created before

-> Click Save

1.3 Identifier for LAN network and SSL VPN network

  • Hosts and Services -> Choose IP Host -> Click Add
  • With LAN network
    • Name: Enter name for your Local network (Ex: Local subnet)
    • Type: Choose Network
    • IP Address: Enter IP of LAN network (

-> Click Save

  • With SSL VPN network
    • Name: Enter name for your SSL VPN network (Ex: Remote SSL VPN range)
    • Type: Choose Network
    • IP Address: Enter IP of SSL VPN network (Ex:

-> Click Save

  • VPN -> SSL VPN (Remote Access) -> Click Add
    • Name: Enter policy name you want (Ex: Remote SSL VPN policy)
    • Policy members: Choose Remote SSL VPN group which was created before
    • Permitted network resource (IPv4): Choose Local subnet was created before

-> Click Apply

Sophos v18 upgrade

1.4 Configure authentication service for SSL VPN

  • Authentication -> Service -> In SSL VPN Authentication Methods -> In Selected authentication server -> Choose Local
  • Authentication -> Services -> In Firewall Authentication Methods -> In Selected Authentication Server -> Choose Local

1.5 Open access port for SSL VPN

  • Administrator -> Device Access -> Choose SSL VPN in WAN and LAN -> Click Apply

1.6 Configure profile for SSL VPN Client

  • VPN -> Click Show VPN settings
  • In IPv4 lease range: Enter IP range you want to grant for SSL VPN users (the IP needs to be the same as the IP of the SSL VPN that you created in the group)

-> Click Apply

1.7 Create firewall rule for communication betwwen SSL VPN and LAN

  • Rules and policies -> Click Add Firewall Rule
  • Enter name for rule
  • In Source zones: Choose VPN
  • In Source network and devices: Choose Any
  • In Destination zones: Choose LAN
  • In Destination networks: Choose Local subnet
  • Choose Match known users
  • In Users or groups: Choose SSL VPN group which was created before

-> Click Save

1.8 Access User Portal to install SSL VPN software

  • Login to User Portal in: https://ipfirewall:443 or https://ipfirewall:4443
  • Use SSL VPN user account to login
  • In Download Client -> Choose Download for Windows
  • Install SSL VPN software
  • Check SSL VPN software in installed by using the icon in the right corner of the screen (in the taskbar)

Sophos V18.5

2. Configure NAT port on Modem or Router

  • Access to Modem or Router device by Admin account
  • We need NAT for 2 port to SSL VPN Client can connect to Sophos XG
  • 2 ports is: 443 and 8443

3. Configure File Server

  • File sharing on File Server, share files folder for all users as well as VPN users to have access to read and write files

4. Results

  • Make SSL VPN Client to Site connection by opening the application installed on your computer
  • Right-click on the SSL VPN application icon -> Choose your username -> Click Connect -> Enter your username and password -> Click OK
  • Wait a few seconds to be able to connect to the intranet system
  • When the connection is successful -> You will receive a notification that the connection is done and an IP address is given to you
  • Application icon is connected
  • You access to File Server with File Server’s IP address is
  • You type in address bar:

-> Done

Sophos V18