Guest User!

You are not Sophos Staff.

Chris McCormack

The early access program for Sophos Firewall OS v19 is kicking off today delivering Xstream SD-WAN capabilities.

Earlier this year, we launched the powerful new XGS Series firewalls with dedicated Xstream Flow Processors to accelerate SD-WAN, SaaS, and cloud traffic.  We then followed that with an extremely easy way to orchestrate complex SD-WAN overlay networks in Sophos Central.  And today, we’re introducing Xstream SD-WAN.

Sophos Firewall OS v19 includes several new and exciting SD-WAN capabilities including SD-WAN profiles with multi-gateway support and performance SLA link selection, as well as performance monitoring tools, SD-WAN logging, and much more.

Xstream FastPath Acceleration of IPsec VPN tunnel traffic will also be part of SFOS v19 and is still being finalized for inclusion in the next EAP phase.

All this adds up to Xstream SD-WAN – delivering extreme new levels of networking flexibility and performance – all integrated into your firewall.

Here are the major enhancements in SFOS v19

SD-WAN

  • SD-WAN Profiles and Advanced Performance SLAs – with multiple gateway support for seamless and efficient re-routing of traffic based on WAN link performance.
  • SD-WAN monitoring – provides graphical real-time and historical monitoring of SD-WAN link performance metrics including latency, jitter, and packet loss.
  • SD-WAN Logging – integrates SD-WAN routing information into log data with a new SD-WAN log viewer module

VPN

  • VPN Management – VPN management has been reorganized and streamlined including new separate main menu items for remote access and site-to-site VPN management as well as many other intuitive changes, a new SSL remote-access setup wizard, and more.
  • VPN Performance – SSL VPN capacity is dramatically improved (up to 5x) thanks to the addition of multi-instance support, and in the next EAP phase, we will be introducing Xstream FastPath acceleration of IPsec VPN tunnel traffic.
  • VPN Operational Enhancements – include a variety of additional changes including custom policy support for IPsec RA, RBVPN, new GCM and Suite-B cipher support for IPsec, and SSL VPN enhancements.
  • VPN Logging – A new log viewer module has been added to assist in monitoring and trouble-shooting VPN connections for both remote-access and site-to-site using SSL or IPsec.
  • AWS VPC Import – You can now import your VPC configuration XML file from AWS to streamline the tunnel setup on your Sophos Firewall.

Other Enhancements

  • Web Protection – Per-connection authentication for multiple users on the same source IP address, enforcement of tenant restrictions for O365, and X-Forwarded-For Header support for up-stream load balancers and proxies.
  • System and Object Search – New search capabilities to quickly and easily find screens or features in the product, as well as enhanced object search when building firewall, NAT, TLS or routing rules that allows free text searching for any object in the system.
  • Performance, Protection, and Usability Enhancements – including scalable authentication performance (in high user-count environments), Synchronized Security enhancements for lateral movement protection, Flow Monitor interface enhancements, MFA enhancements, and log aggregation and suppression.

Check out the detailed PDF list of What’s New in the SFOS v19 Early Access Program.

Watch brief demo videos for many of the new features:

Of course, SFOS v19 also includes all the other great enhancements in SFOS v18.5 MR2 which will be popping up in your consoles as an update any day now.

Getting Started and Providing Feedback

Sophos Firewall OS v19 EAP1 (Build 244) is a fully supported upgrade from v17.5 MR14 and later, v18 MR3 and later and all previous versions of v18.5 except the latest v18.5 MR2.

Please visit the SFOS v19 EAP Registration Page to get started.

Once you’re up and running, please provide feedback through your Sophos Firewall's feedback mechanism (top right of every screen on your Firewall).  Also visit our EAP Community Forums to share your experience with others.

Note: Please do not call Sophos Support for issues related to the EAP. Troubleshooting and support for all EAP versions is handled solely through the online Sophos Community EAP Forums.

Please be on the lookout for brief email surveys over the course of the EAP.  These can be extremely helpful in shaping the release, and don't worry, we value your time and will ensure they won't take long to complete. 

Related
Recommended
  • in reply to Mark-Cyber83

    Planned for the next major release. Not in V19.0. 

  • When will Azure MFA for VPN be implemented?

    This is such an important need now!

  • in reply to LuCar Toni

    Right. I used the latest Apple Beta from the time MacOS X came out in (public) beta until about a year ago .So MANY years with no showstoppers. I stopped recently because I was doing a lot of video editing and while I've never had an Apple Beta get crashy on me, I had to be much more careful about combinations of AppleOS plus my video editing program, with hard deadlines leaving little room for error.)

    And it sounds to me like Sophos EAP is similarly stable, as long as you don't poke into dark corners. So I've taken the chance and so far it's working out.

    I did reboot to v18.5 MR1, then upload the EAP and it all worked quickly and without issues. On the XGS87, there's about a 30 second period after "reboot" where I think it's booting from PROM, then about 2-2.5 minutes with the blue light flashing and the port lights off, then the port lights come on and blink and I think network connectivity is up. It takes 2 more minutes (though I think I've seen up to 3 or 4 minutes) for the APX to come up and give me wireless, at which point the network is officially up.

  • in reply to Wayne Folta

    Thanks for sharing. Another points to update this: SD-WAN Failover does currently not support "Loadbalancing". What this means: If you have multiple WAN Interfaces, SD-WAN PBR will only use one Interface at the time. It will failover to the next Link, if the Link does not meet the criterias. But it will not utilize all WAN Interfaces at the same time. This is planned for the next release. 

  • in reply to LuCar Toni

    Thanks! I took the plunge and its working well. The graph only updates every 30 seconds or so, even though statuses are checked every few seconds, but that's okay for now. Better than I had before.

    The web interface feels snappier. Sophos Central accessing it remotely also works well and does look just like the local web interface.

    Little irregularities -- like at one point it displayed all MAC addresses instead of host names on one of my SSIDs. Returning later, it was all fine. One bug I reported: the filter "Unused Rules" on the Firewall Rules page displays everything. And that's also reflected on the Control Center, where it claimed that 17 out of 17 of my rules were unused. Scared be for a minute.

    This SD-WAN thing is the wave of the future. I think it'll satisfy multiple complaints/suggestions about the old fail-over mechanism. Now if I only had more than one ISP... (Or figured out how to do Cellular data fallback economically. All of the providers I've found really don't like hotspots and  limit traffic in a month to what I generate in a day. I guess the theory is that outages would only last for a few minutes or hours in general, so that's enough data. Then perhaps a lot of traffic shaping so that frequent-but-not-important traffic gets dumped or severely limited.)