Sophos provides the ability to associate your Amazon Web Services (AWS) accounts with your Sophos Central account, to improve the management of Sophos Server Protection on AWS Elastic Computer Cloud (EC2) instances and S3 storage.
Sophos Advisory: Customers are not able to access any Central Dashboards due to ongoing Microsoft Azure outage. March 15 Sophos Advisory: Central and Enterprise Dashboard - Some customers are unable to add or edit the 'Custom Rules' section within the Federation Login global setting. Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here.
One of the great new features in XG Firewall v18 that we covered in Part 3 of this series is the new SD-WAN Application and User/ Group based link selection capabilities. In this article, we'll review how you can take advantage of those as a part of another new feature in XG Firewall v18 – Route Based IPsec VPN.
Route Based IPsec (RBVPN) in XG Firewall v18 enables truly dynamic IPsec site-to-site VPN tunnels. With RBVPN, network topology changes do not impact VPN policy and you no longer need to modify VPN policies if networks are added or removed from your environment, greatly simplifying VPN policy creation and management, especially in larger and more dynamic environments.
RBVPN provides full control over routing with support for static, dynamic (OSPF, BGP, RIP) and SD-WAN policy-based routes with RBVPN policies. RBVPN implementation in XG Firewall v18 also provides flexibility to setup more complex network address translation using the new NAT rule configuration such as VPN NAT overlap scenarios.
XG Firewall v18 also supports RBVPN tunnel interfaces for SD-WAN policy-based routes to support IPsec and MPLS co-existence with SD-WAN. This makes it possible to enable IPsec and MPLS (even on a non-WAN zone) to both be active at the same time with options for load balancing on VPN tunnels as well.
RBVPN is a well-accepted industry standard and interoperates nicely with other vendor's route-based VPN tunnels making it easier to tunnel to Azure/ AWS and other cloud providers. Ultimately, Route based VPN is the preferred choice for today's dynamic networks.
Making the Most of Route-Based IPsec VPN Tunnels in XG Firewall
This video provides a great detailed look at how to setup route-based VPN in XG Firewall v18:
Route Based VPN in XG Firewall v18 from Sophos on Vimeo.
Then, you can take full advantage of the new Synchronized SD-WAN policy-based routing for your VPN traffic, with options for user, group, application, and even Synchronized Application Control discovered app based-routing for your route-based VPN.
Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN and VPN routing. This provides a level of application routing control and reliability that other firewalls can't match.
To use Synchronized Application Control discovered apps in your routing, when creating an application object for SD-WAN or VPN routing, you can select 'Synchronized Application Control' from the technology drop-down box as show below to see all the relevant applications.
Here's a summary of the resources available to help you make the most of the new features in XG Firewall v18, including the new route-based VPN capabilities:
If you're new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network. Jira markdown checkbox.
Selling XG Firewall
On the Sophos partner portal, we provide you with a wealth of sales assets. You may filter the list of assets by selecting a category to narrow down the results. And don't forget to check whether there is a sales promotion available for your region. It's worth checking back from time to time to make sure you're not missing out on a great opportunity!
Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:
How to clean my ram. RELEASE NOTES from Sophos:
Enhancements in v18 MR-3
Security enhancements:
- Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
- Granular option to enable/ disable captcha authentication from CLI
VPN Remote Access enhancements:
- Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
- Group support for Sophos Connect VPN client
Cloud – AWS/ Azure/ Nutanix enhancements:
- Support for newer AWS instances – C5/ M5 and T3 (#)
- Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
- Virtual WAN Zone on custom gateway for post deployment single arm usage
- On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
- XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
- Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.
(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)
Central management enhancements:
- XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
- Audit trail went live under the task queue
Central Firewall Reporting enhancements:
- Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.
Issues Resolved:
- 34 field reported issues including RED & HA cluster issues (list below)
Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.
Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.
We also have a new Sophos Techvids site for XG Firewall v18.
Get it now!
As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.
For fresh installations, the download links will be updated right here very soon.
Things to know before upgrading
Issues Resolved in v18 MR-3
- NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
- NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
- NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
- NC-54542 [Email] Email banner is added to incoming emails
- NC-59396 [Email] Blocked senders are able to send the mails
- NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
- NC-58356 [Firewall] Direct proxy traffic doesn't work when RBVPN is configured.
- NC-58402 [Firewall] Firewall reboots randomly.
- NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
- NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
- NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
- NC-59063 [Firmware Management] Remove expired CAs from SFOS
- NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
- NC-62850 [HA] Filesystem oddity in /conf
- NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
- NC-58416 [IPsec] IKE SA Re keying won't be re-initiate itself after re-transmission time out of 5 attempts
- NC-58499 [IPsec] Sophos Connect Client 'IP is supposed to be added in the '##ALL_IPSEC_RW '
- NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
- NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
- NC-55698 [nSXLd] Not able to add new domain in custom category
- NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
- NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
- NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
- NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
- NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
- NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
- NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
- NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
- NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
- NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
- NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
- NC-58960 [Up2Date Client] HA: IPS service observed DEAD
- NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
- NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly
Here are some direct links to helpful resources:
RBVPN is a well-accepted industry standard and interoperates nicely with other vendor's route-based VPN tunnels making it easier to tunnel to Azure/ AWS and other cloud providers. Ultimately, Route based VPN is the preferred choice for today's dynamic networks.
Making the Most of Route-Based IPsec VPN Tunnels in XG Firewall
This video provides a great detailed look at how to setup route-based VPN in XG Firewall v18:
Route Based VPN in XG Firewall v18 from Sophos on Vimeo.
Then, you can take full advantage of the new Synchronized SD-WAN policy-based routing for your VPN traffic, with options for user, group, application, and even Synchronized Application Control discovered app based-routing for your route-based VPN.
Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN and VPN routing. This provides a level of application routing control and reliability that other firewalls can't match.
To use Synchronized Application Control discovered apps in your routing, when creating an application object for SD-WAN or VPN routing, you can select 'Synchronized Application Control' from the technology drop-down box as show below to see all the relevant applications.
Here's a summary of the resources available to help you make the most of the new features in XG Firewall v18, including the new route-based VPN capabilities:
If you're new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network. Jira markdown checkbox.
Selling XG Firewall
On the Sophos partner portal, we provide you with a wealth of sales assets. You may filter the list of assets by selecting a category to narrow down the results. And don't forget to check whether there is a sales promotion available for your region. It's worth checking back from time to time to make sure you're not missing out on a great opportunity!
Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:
How to clean my ram. RELEASE NOTES from Sophos:
Enhancements in v18 MR-3
Security enhancements:
- Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
- Granular option to enable/ disable captcha authentication from CLI
VPN Remote Access enhancements:
- Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
- Group support for Sophos Connect VPN client
Cloud – AWS/ Azure/ Nutanix enhancements:
- Support for newer AWS instances – C5/ M5 and T3 (#)
- Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
- Virtual WAN Zone on custom gateway for post deployment single arm usage
- On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
- XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
- Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.
(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)
Central management enhancements:
- XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
- Audit trail went live under the task queue
Central Firewall Reporting enhancements:
- Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.
Issues Resolved:
- 34 field reported issues including RED & HA cluster issues (list below)
Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.
Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.
We also have a new Sophos Techvids site for XG Firewall v18.
Get it now!
As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.
For fresh installations, the download links will be updated right here very soon.
Things to know before upgrading
Issues Resolved in v18 MR-3
- NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
- NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
- NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
- NC-54542 [Email] Email banner is added to incoming emails
- NC-59396 [Email] Blocked senders are able to send the mails
- NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
- NC-58356 [Firewall] Direct proxy traffic doesn't work when RBVPN is configured.
- NC-58402 [Firewall] Firewall reboots randomly.
- NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
- NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
- NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
- NC-59063 [Firmware Management] Remove expired CAs from SFOS
- NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
- NC-62850 [HA] Filesystem oddity in /conf
- NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
- NC-58416 [IPsec] IKE SA Re keying won't be re-initiate itself after re-transmission time out of 5 attempts
- NC-58499 [IPsec] Sophos Connect Client 'IP is supposed to be added in the '##ALL_IPSEC_RW '
- NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
- NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
- NC-55698 [nSXLd] Not able to add new domain in custom category
- NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
- NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
- NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
- NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
- NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
- NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
- NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
- NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
- NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
- NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
- NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
- NC-58960 [Up2Date Client] HA: IPS service observed DEAD
- NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
- NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly
Here are some direct links to helpful resources:
- Customer Training Portal (free Delta Training)
Source: https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3