Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:
V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 3 AP55s and 2 APX120s having a holiday until software update is released. If a post solves your question use the ' This helped me ' link. Get the latest XG Firewall brochure to see the latest performance metrics and how your XG Series model stacks up. SSL VPN capacity. Further optimizations to our SSL engine in XG Firewall v18 MR3 bring some dramatic improvements to remote access SSL VPN capacity, with up to 6x the number of connections possible on our higher-end appliances. The release notes site describes the new features introduced in XG Firewall 18.0. The left menu gives the key features, their significance, and how to implement them. For detailed information of XG Firewall, go to the online help. For an overview of the key features, please read What’s New in v18. Advisory: Sophos XG Firewall: Supported VPN tunnels on v17.x and v18.x KB-000039345 6-Apr-2021 10 people found this article helpful.
RELEASE NOTES from Sophos:
Enhancements in v18 MR-3
- Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
- Granular option to enable/ disable captcha authentication from CLI
Sophos Xg V18 Mr3 Mac
VPN Remote Access enhancements:
- Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
- Group support for Sophos Connect VPN client
Cloud – AWS/ Azure/ Nutanix enhancements:
- Support for newer AWS instances – C5/ M5 and T3 (#)
- Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
- Virtual WAN Zone on custom gateway for post deployment single arm usage
- On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
- XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
- Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.
(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)
Central management enhancements:
- XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
- Audit trail went live under the task queue
Central Firewall Reporting enhancements:
- Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.
Sophos Xg V18 Mr3 Software
- 34 field reported issues including RED & HA cluster issues (list below)
Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.
Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.
We also have a new Sophos Techvids site for XG Firewall v18.
Get it now!
As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.
For fresh installations, the download links will be updated right here very soon.
Things to know before upgrading
Issues Resolved in v18 MR-3
- NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
- NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
- NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
- NC-54542 [Email] Email banner is added to incoming emails
- NC-59396 [Email] Blocked senders are able to send the mails
- NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
- NC-58356 [Firewall] Direct proxy traffic doesn’t work when RBVPN is configured.
- NC-58402 [Firewall] Firewall reboots randomly.
- NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
- NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
- NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
- NC-59063 [Firmware Management] Remove expired CAs from SFOS
- NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
- NC-62850 [HA] Filesystem oddity in /conf
- NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
- NC-58416 [IPsec] IKE SA Re keying won’t be re-initiate itself after re-transmission time out of 5 attempts
- NC-58499 [IPsec] Sophos Connect Client ”IP is supposed to be added in the “##ALL_IPSEC_RW “
- NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
- NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
- NC-55698 [nSXLd] Not able to add new domain in custom category
- NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
- NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
- NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
- NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
- NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
- NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
- NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
- NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
- NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
- NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
- NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
- NC-58960 [Up2Date Client] HA: IPS service observed DEAD
- NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
- NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly
Here are some direct links to helpful resources:
- Customer Training Portal (free Delta Training)
Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free! XG Firewall is the only firewall to offer unlimited remote access SSL or IPSec VPN connections at no additional charge. And we’ve significantly boosted SSL VPN capacity across our entire product range in XG Firewall v18 MR3 through several optimizaitons.
Our new Sophos Connect v2 remote access VPN client also add new features that make remote access faster, better and easier.
Sophos Connect v2
- SSL VPN support for Windows
- Bulk deployment of SSL VPN configurations (as with IPSec) via an enhanced provisioning file
- Enhanced DUO token multi-factor authentication support
- Auto-Connect option for SSL
- Option to execute a logon script when connecting
- Remote gateway availability probing
- Automatic failover to the next active firewall WAN link if one link fails
- Automatic synchronization of the latest user policy if the SSL policy is updated on the firewall (when using the provisioning file to deploy) as well as a manual re-synchronization of the latest policy
- File extension association for policy files – import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email
XG Firewall v18 MR3 Remote Access Enhancements:
- Enhanced SSL VPN connection capacity across our entire firewall line up. The capacity increase depends on your Firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-5x improvement in SSL VPN connection capacity.
- Group support for IPSec VPN connections which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.
Making the Most of Sophos Connect Remote Access
The first decision you will want to make is whether you wish to use SSL, IPSec, or both. Then setup your Firewall to accept Sophos Connect VPN connections before deploying the client and connection configuration to your users.
SSL vs IPSec
With Sophos Connect v2 now supporting SSL (on Windows) and with the enhanced SSL VPN capacity available in XG Firewall v18 MR3, we strongly encourage everyone to consider using SSL to get the best experience and performance for your remote access users.
While macOS support for SSL remote access via Sophos Connect is expected soon, we recommend any organizations using macOS take advantage of the new OpenVPN macOS client in the interim.
XG Firewall Setup
SSL VPN Setup is very straightforward:
- Follow these initial setup instructions for creating an IP address range for your clients, user group, SSL access policy, and authentication.
- SSL VPN requires access to the XG Firewall User Portal. For optimal security, we strongly advise the use of multi-factor authentication. Setup two-factor authentication via Authentication > One-time password > Settings to ensure you’re only allowing MFA access to the user portal.
- Create a firewall rule that enables traffic from the VPN zone to access your LAN zone (or whatever zones are desired).
Sophos Xg V18 Mr3 How To
Deployment of the client is equally easy:
- Client Installer: The client installer is available by navigating to VPN > Sophos Connect Client on your XG Firewall. Sophos Connect documentation is available here.
- Connection Configuration: The SSL VPN connection configuration (OVPN) file is accessible via the User Portal, but we strongly encourage the use of a provisioning file to automatically fetch the configuration from the portal. This requires a bit more up-front effort, but greatly simplifies the deployment process and enables changes to the policy without redeploying the configuration. Review the full instructions on how to create a provisioning file with samples.
- Group Policy Management: The best way to deploy the remote access client and provisioning file is via Microsoft Group Policy Management. You will need the files mentioned in the steps above and then Follow these step-by-step instructions. You can also use any other software deployment tool you have available – even email.
Monitoring Active Usage:
You can monitor connected remote users from the XG Firewall control center…
And click to drill-down to get the details…
Sophos Xg V18 Mr3 Download
Sophos Connect Resources and Helpful Links