Long awaited features are here, especially Entra ID SSO for VPN – releasenotes are here:
Sophos Firewall v21.5 Early Access
We are pleased to announce that the Early Access Program (EAP) is now underway for the latest Sophos Firewall release. This update brings exciting industry-first enhancements and top-requested features, including…
NDR Essentials in Sophos Firewall
Sophos Firewall customers with Xstream Protection now get Sophos NDR Essentials in the cloud, for no extra charge, significantly bolstering network protection:
Sophos NDR Essentials can detect active adversaries using encryption without using TLS decryption thanks to AI Convolutional Neural Network (CNN) analysis. Sophos NDR Essentials can also detect advanced domain generation algorithms that try to evade normal DNS and web filtering.
Sophos NDR Essentials delivers a new layer of protection, and since its cloud-hosted by Sophos, it doesn’t impact your firewall performance at all – further strengthening our industry leading performance and protection. Review the What’s New Guide for full details.
Setup and monitor NDR Essentials threat feeds under the Active Threat Response menu
Entra ID SSO for Sophos Connect Client (RA VPN) and VPN Portal
One of your top requested features makes remote access VPN easier for end-users enabling them to use their corporate network credentials with the Sophos Connect client and the firewall VPN portal:
- Entra ID(Azure AD) single-sign on integration with Sophos Connect and the VPN portal is now included in SFOS v21.5.
- It provides cloud-native integration over the industry standard OAuth 2.0 and OpenID Connect protocols for a seamless experience.
- Supported with Sophos Connect client 2.4 (and later) on Microsoft Windows. (You will also get the download link for Sophos Connect client 2.4 EAP installer with the v21.5 EAP download)
Sophos DNS Protection Made Easy
Last year, we launched our DNS Protection service and made it free for all Xstream Protection-licensed firewall customers. With this release, Sophos DNS Protection gets further integration with Sophos Firewall:
- New control center widget to indicate service status
- New troubleshooting insights via logging and notifications
- New guided tutorial on how to setup Sophos DNS Protection easily
VPN and Scalability Enhancements
User Interface and Usability Enhancements: Connection types have been renamed from “site-to-site” to “policy-based,” and tunnel interfaces have been renamed to “route-based” to make these more intuitive.
Improved IP lease pool validation: Across SSLVPN, IPsec, L2TP, and PPTP remote access VPN to eliminate potential IP conflicts.
Strict Profile Enforcement: On IPsec profiles that exclude default values to ensure a successful handshake, eliminating potential packet fragmentation and tunnels failing to establish properly.
Route-Based VPN Scalability: Route-based VPN capacity is doubled with support for up to 3,000 tunnels.
SD-RED Scalability: Sophos Firewalls now support up to 1,000 site-to-site RED tunnels and up to 650 SD-RED devices.
Streamlined Management and Quality-of-Life Enhancements
As with every Sophos Firewall release, this version includes several quality-of-life enhancements that make day-to-day management easier:
Resizable Table Columns: A long-requested feature, many firewall status and configuration screens now support resizable column widths that are retained in browser memory for subsequent visits. Many screens such as SD-WAN, NAT, SSL, Hosts and services, and site-to-site VPN, all benefit from this new feature.
Extended Free Text Search: SD-WAN routes now enable searching by route name, ID, objects, and object values like IP addresses, domains, or other criteria. Local ACL rules also now support searching by object name and value, including content-based search.
Default Configuration: By popular demand, the default firewall rules, and rule group previously created when setting up a new firewall have been removed with only the default network rule and MTA rules provided during initial setup. The default firewall rule group and the default gateway probing for custom gateways are both set to “None” by default.
New Font: The Sophos Firewall user interface now sports a new lighter, cleaner, sharper, font for added readability and improved performance.
Other Enhancements
Virtual, Software, Cloud Licensing: In case you missed it, all Sophos Firewall virtual, software, and cloud licenses (BYOL) no longer have RAM limits. Licenses are now strictly limited by core count and have no RAM restrictions.
Larger file size limit in WAF: Supports a configurable request (upload) file size limit for Web Application Firewall (WAF), which can now scan files up to 1 GB.
Secure By Design: We are continually improving the security of Sophos Firewall, and in this release are adding real-time telemetry gathering to flag any unexpected changes to core OS files using secure hash validation. This will enable our monitoring teams to proactively identify potential security incidents early before they can become a real problem.
DHCP Prefix Delegation Relaxation: Now supports /48 to /64 prefixes, improving interoperability with ISPs. Router Advertisements (RA) and the DHCPv6 server are also now enabled by default.
Path MTU Discovery: This will resolve TLS decryption errors due to the latest ML-KEM (Kyber) key exchange support in browsers. The Sophos Firewall deep packet inspection engine will now automatically detect and adjust the MTU for each flow ensuring optimal performance based on specific network conditions.
NAT64 (IPv6 to IPv4 traffic): NAT64 is supported for IPv6 to IPv4 traffic in explicit proxy mode. In this mode, IPv6-only clients can access IPv4 websites. The firewall also supports IPv4 upstream proxy for IPv6-only clients.
Get the Full Details
Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v21.5.
Download and Get Started Today
You can download the firmware and installer for v21.5 and the installer for Sophos Connect client 2.4 EAP from the Sophos Firewall v21.5 EAP Registration Page. Simply submit your details and the download links will be emailed to you straight away.
