Released on April 30, 2020

New features

This describes the new features introduced in XG Firewall 18.0.

For detailed information on XG Firewall, go to the online help.

For an overview of the key features, please read What’s New in v18.

Xstream architecture

We are introducing the new Xstream architecture for XG Firewall – A new streaming packet processing architecture that provides extreme levels of protection and performance. The new architecture includes:

Xstream SSL inspection: Enable SSL inspection on your network without compromising network performance or the user experience. It delivers high-performance, high-connection-capacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspection performance across all ports, protocols, and applications. It also comes equipped with enterprise-grade controls to optimize security, privacy, and performance.
Xstream DPI engine: Enables comprehensive threat protection in a single high-performance streaming DPI engine with proxyless scanning of all traffic for AV, IPS, and web threats as well as providing application control and SSL inspection.
Xstream network flow FastPath: Provides the ultimate in performance by intelligently offloading traffic processing to transfer trusted traffic at wire speeds. FastPath offloading can be controlled through policy to accelerate important cloud application traffic or intelligently by the DPI engine based on traffic characteristics.
Sandstorm threat intelligence analysis
Sophos Sandstorm gains an added layer of artificial intelligence protection. All suspicious files are now subject to threat intelligence analysis in parallel with full sandbox analysis. Files are checked against the Sophos Labs threat intelligence database and subjected to our industry-leading deep learning. This identifies new and unknown malware quickly and efficiently, often rendering a verdict in seconds, to stop the latest zero-day threats before they get on the network.

Sophos Central Firewall Reporting and Management

This release includes support for new firewall reporting and management capabilities being launched simultaneously on Sophos Central including a rich powerful new reporting suite and group firewall management tools. To register with Sophos Central, go to Central synchronization.

NAT Enhancements

XG Firewall’s NAT configuration receives a major update as NAT rules are now decoupled from Firewall Rules enabling more powerful and flexible configuration options including Source (SNAT) and Destination (DNAT) in a single rule. NAT Rules can still be “snapped-in” to a Firewall Rule and edited in-place similar to other snap-in policies such as IPS and Web policies.

Improvements in managing firewall rules

Firewall rule management includes a new Add filter option with several fields and conditions to choose from. Adding a filter makes it easier to find firewall rules based on the selected filter criteria. Once selected, filters stay selected even when you move to other configuration screens.

You can manage multiple firewall rules at the same time (for example, select multiple rules to delete, enable or disable, attach to a group). Movement of rules across screens is possible, providing ease of use and management for larger rule sets.

Within the firewall rule there is an exclusion feature that provides a “negate” option in the matching criteria to reduce the management and ordering overhead of multiple rules. There’s also a UI option to reset the data transfer counter for a firewall rule to improve troubleshooting.

Wild card domains in WAF rules

You can now add wildcard domains in WAF (Web Application Firewall) rules. You can add wildcard subdomains (example: * for both HTTP and HTTPS connections.

SD-WAN policy-based routing

Policy-based routing gains added SD-WAN flexibility and more granular control with the addition of application, user and group-based traffic selection criteria. Routing can be defined through either the primary or a backup gateway WAN connection and can be configured for replay direction.

Enhanced High Availability

You can now update more high availability settings without breaking HA and can also use the new QuickHA configuration mode.

Alerts and Notifications

There is a new option to choose from dozens of system and threat-related alerts and have notifications sent via email or SNMP.

Intelligent IPS signature selection

XG Firewall receives IPS signatures based on a number of intelligent filtering criteria, such as age, vendor, vulnerability type, and CVSS (Common Vulnerability Scoring System) to optimize protection and performance.

DKIM and BATV anti-spam protection

Anti-spam protection is improved with support for DomainKeys Identified Mail (DKIM). It detects forged sender addresses and Bounce Address Tag Validation (BATV) to determine whether the bounce address specified in the received email is valid and reject backscatter spam.

Kerberos authentication and NTLM

This release adds Kerberos authentication alongside the existing NTLM support for Microsoft Active Directory SSO, extending the range of authentication tools available for customers.

RADIUS time-out with two-factor authentication (2FA)

For customers using two-factor authentication (2FA) with RADIUS server authentication, the timeout value is now configurable allowing additional time to finish the authentication flow when necessary.

You can use the two-factor authentication (one-time password) for administrator access, user portal, IPsec and SSL VPN.

Bridge-VLAN support

VLANs are now supported on bridge interfaces, enabling greater networking flexibility and support for advanced inter-VLAN routing and bridging deployments.


Support for SNMPv3 is added, providing more flexibility and security over SNMPv2.

SNMP (Simple Network Management Protocol) gives access to XG Firewall information, for example, status of the firewall, service availability, CPU, memory, and disk usage. XG Firewall now supports SNMPv3 users in addition to SNMPv1 and SNMPv2c protocols, ensuring confidentiality, message integrity, and validity of the user.

Route-based VPN

You can now create IPsec VPN connections that use tunnel interfaces as endpoints, making static and dynamic routing possible.

Web policy quota

Browsing quotas have been added to web policies, allowing you to set time quotas for browsing selected website categories. Users can choose how and when to consume their daily time quota.


This describes the enhancements introduced in XG Firewall 18.0.

Interface renaming: Interfaces can be renamed making networking configuration easier and more intuitive.
Jumbo Frame Support: Jumbo frames with more than 1500 byte payloads are now supported for added networking flexibility in high bandwidth environments.
Enhanced DDNS support: Provides support for enhanced HTTPS-based DDNS by adding five more DDNS providers: No-IP, DNS-O-Static, Google DNS, Namecheap, and FreeDNS.
Improved Synchronized Application Control verdict: If there is a pattern-based match conflict, Synchronized Application Control verdict is used. This gives more accurate application control.
DHCP relay enhancements for dynamic routing: Synchronizes dynamic routing updates (learned routes from OSPF) to DHCP relay, eliminating the need for manual reconfiguration.
Secure Syslog and logs in the standard Syslog format: Provides the option to fetch logs in the standard syslog format using secure TLS.

Dynamic GeoIP (IP to country mapping) database: The GeoIP database is now updated dynamically in real time from the Up2Date servers. Make sure you always use the appropriate country-specific filters and policies.
VMware Tools upgrade and integration with VMware Site Recovery Manager (SRM): Supports virtual device integration of the latest VMware Tools version (v10.3.10) with reboot, shutdown, and clone-like functionalities. The release also supports integration with Site Recovery Manager (SRM), the disaster recovery and business continuity solution from VMware which automates the transfer of virtual machines to a local or remote recovery site.
Log viewer enhancements: The log viewer gets several enhancements with one-click actions available right from the logs to narrow search results, filter log entries, or create or modify policies on the fly.
New filter and search options, including the choice to disable signatures, block a source IP address, edit interfaces, and modify IPS, app control, or web filtering policies.

Live Connections: The live connections pages for IPv4 and IPv6 provide a lot of new insights into concurrent traffic in your network.
Access points can be restarted from the web admin console: You can now restart wireless access points from the web admin console. To restart an access point, select an access point and click Restart.
Sophos Connect address range: Sophos Connect lease now supports more than 255 IP addresses in the address range. XG Firewall now supports class B networks for IP addresses leased to the Sophos Connect client. You can change the last two octets.