SFOS v22 finally got out, getting a new cool firewall health check widget for compliance, furthermore it got much more secure:
Sophos Firewall v22 is Now Available
The product team is pleased to announce that Sophos Firewall v22 is now generally available. This update brings several Secure by Design enhancements and many of your top requested features.
Secure By Design
Over the last several weeks, we’ve covered the importance of Secure by Design principles and why we need secure products as much as we need security products. Sophos Firewall v22 builds on the many security and hardening enhancements from previous releases to take Secure by Design to whole new level.
What’s New Overview
Watch the brief video below for an overview of what’s new –
Sophos Firewall Health Check
A strong security posture depends on ensuring your firewall is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your Firewall with the new Health Check feature. This new feature evaluates dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights to areas that may be at risk. It will identify all high-risk settings and provide recommendations with quick drill-down to the areas of concern so you can easily address them.
The health check status is displayed on a new Control Center widget and a full report is available under the “Firewall health check” main menu item.
Watch the Firewall health check overview video to see how to make the most of this new feature.
Other Secure By Design Enhancements:
-
Next-Gen Xstream Architecture:
- Introduces an all-new control plane re-architected for maximum security and scalability to take us into the future.
- The new control plane enables modularization, isolation, and containerization of services like IPS for example, to run like “apps” on the firewall platform.
- It also enables complete separation of privileges for added security.
- In addition, SFOS now benefit from a self-healing capability that is continuously monitoring system state and fixes deviations automatically.
-
Hardened Kernel:
- The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware.
- New kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities (Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, Downfall).
- It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).
-
Remote Integrity Monitoring:
- Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more.
- This helps our security teams who are proactively monitoring our entire Sophos Firewall install base to better identify, investigate, and respond more quickly to any attack.
- This is an added security capability that no other firewall vendor provides.
-
New Anti-Malware Engine:
- Sophos Firewall OS v22 integrates the latest Sophos anti-malware engine with enhanced zero-day real-time detection of emerging threats using global reputation lookups.
- It takes full advantage of SophosLabs massive cloud database of known malicious files, updated every 5 mins or less.
- It also introduces AI and ML model detections and delivers enhanced telemetry to SophosLabs for accelerating their emerging threat detection analysis.
Other Security and Scalability Enhancements:
- Active Threat Response Logging Improvements: Adds granular logging controls for both inbound and outbound traffic to reduce noise from brute-force and similar repetitive events. Adds support for identifying and matching inbound forwarded traffic (WAF, DNAT, etc) with third-party threat feeds, NDR Essentials, and MDR threat feeds, improving detection for externally initiated threats. Add local source match for third-party threat feeds, and NDR Essentials in addition to MDR threat feeds.
- XML API Access Control Enhancements: API configuration has now been moved under the “Administration” main menu. You can now define API access by IP addresses, IP ranges, and network objects with up to 64 objects supported (an increase from the previously supported 10 IP addresses).
- NDR Essentials improvements:
- Threat Score in Logs – The assigned threat score is now included in Active threat response logs for enhanced visibility, reporting, and analytics.
- Data Center selection – You can now select the data center region for NDR Essentials flow analysis for regional or data residency requirements. By default, the system will choose the lowest latency region.
- Instant Web Category and Search Keywords Alerts:
- Useful to raise immediate alerts based on the browsing intent or behavior.
- This helps schools move from reactive reporting to proactive safeguarding — helping protect students when it matters most, and proving compliance with the latest digital standards.
- TLS1.3 Support for Device Access: The Web admin console, VPN portal, and User portal now support TLS 1.3, providing stronger encryption.
Streamlined Management and Quality of Life Enhancements:
- Enhanced Navigation Performance: You can now navigate to any menu item or tab without waiting for the current page to finish loading, which makes UI navigation faster.
- TLS1.3 Support for Device Access: The Web admin console, VPN portal, and User portal now support TLS 1.3, providing stronger encryption.
- Hardware monitoring via SNMP: A top-request feature from many partners and customers with a downloadable MIB file from the SFOS UI has been added. The supported metrics include CPU temperature, NPU temperature, fan speeds, power supply status (on XGS 2100 and above), and PoE measurements for all XGS models with PoE support, except XGS 116(w).
- NTP Server Settings: For fresh installations, the default NTP server setting is now set to “Use pre-defined NTP server.”
- UI Enhancements for XFRM Interfaces: Pagination support has been added for XFRM interfaces and an option to search and filter to easily manage large number of XFRM interfaces.
- sFlow Monitoring: Provides real-time data based on your set sampling rate. It works on any physical interface, including sub-interfaces (Alias, VLAN, etc.) with a maximum of 5 collectors.
- Cellular WAN: Added support to check signal strength using the CLI command
system cellular_wan show.
SG UTM9 Features:
With Sophos UTM coming toward end-of-life soon (July 30, 2026) some migrating customers will appreciate these added features:
- MFA Support for WAF: Brings multi-factor authentication to the integrated Web Application Firewall on Sophos Firewall to provide added security and feature parity in this area.
- Stronger Security for WAF: Sessions are now managed by SFOS instead of client-side cookies, making them harder to hijack and enhancing overall protection. When auth forwarding isn’t required, authentication can be fully offloaded to SFOS, reducing exposure of the internal WAF server.
- SHA 256 and 512 Support for OTP Tokens: Another popular request from the SG UTM customers is now an option on Sophos Firewall for Google and Sophos apps, as well as Admin users.
- Audit trail logs: Enables comprehensive audit logs with before-and-after tracking to meet the latest NIS2 standards. In phase 1, detailed audit logging is supported for firewall rules, objects, and interfaces. Detailed audit logs can be downloaded from Diagnostics > Troubleshooting Logs > configuration-audit.log. XML is used to highlight the before-and-after changes.
Get the full details
Download the full What’s New Guide for a complete overview of all the great new features and enhancements in v22. Also be sure to check out the full release notes.
How to get v22
As with every firewall release, Sophos Firewall v22 is a free upgrade for Sophos Firewall customers with Enhanced or Enhanced Plus Support and should be applied to all supported firewall devices as soon as possible. Sophos Firewall v22 is a fully supported upgrade from any supported Sophos Firewall firmware version.
SFOS 22.0 and later versions require additional disk space to accommodate upcoming new features and enhanced functionality. Most appliances already meet these requirements; however, a subset of desktop, virtual, and software deployments may require manual intervention before they can upgrade. Appliances that have sufficient disk space but require resizing take a slightly longer upgrade time, ranging from two to ten minutes, because the root partition is resized during the upgrade. Watch Upgrade paths to v22. If you see a Control center alert or firmware page notification about disk space requirements, read Requirements and resolution to upgrade to v22 and later.
This firmware release will follow our standard staged roll-out process. The new v22 firmware will be gradually rolled out to all connected devices in phases over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience. You can either wait until the firmware update notification appears in Sophos Central or your local device console or you can manually download the latest Sophos Firewall firmware from Sophos Central at any time.
Related Posts
Sophos Firewall v22 Early Access
LogJam: Workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081)
Microsoft 365: Get started with the Migration Manager
VMWARE: [Errno 28] No space left on device on ESXi 6.7
vCenter Server Appliance: ROOT password expired (6.x)
Sophos UTM: How to reboot specific Sophos Access Point