New features

We introduced stronger protection for sensitive information and enhanced security.

Secure storage master key Enhanced security

We introduced a secure storage master key to provide extra protection for the account details stored on XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.

You must set the master key and store it in a secure location. If you lose it, you can’t recover it. It has implications for backup-restore and import-export. For more details, see the support article.

High availability Enhanced security

The firewall now uses SHA256 encryption for your HA passphrase.

Access to some services Enhanced security

We recommend that you do not allow access to the XG Firewall consoles, user portal, and some services over the WAN zone. If you allow access from the WAN zone to the following services, warnings appear on the Administration > Device access page:

  • HTTPS (web admin console)
  • SSH (CLI)
  • Ping/Ping6
  • DNS: This applies when XG Firewall acts as the DNS server.
  • User portal

CAPTCHA Enhanced security

You can turn off the CAPTCHA from the CLI for the web admin console and the user portal. You can turn it off for only the VPN zone, or both VPN and WAN zones. Use the following syntax to enter the commands:

console> system captcha-authentication-global [enable] [disable] [show]

Selecting the consoles: [userportal] [webadminconsole]

console> system captcha-authentication-vpn [enable] [disable] [show]

Selecting the consoles: [userportal] [webadminconsole]

console> system captcha-authentication-global [enable] [disable] [show]

Users Enhanced security

You can’t export or import local users from Authentication > Users any longer.

Other new features and enhancements

SSL VPN concurrent tunnels

XG Firewall now supports a larger number of concurrent SSL VPN tunnels. For more details, see SSL VPN concurrent tunnels.

Sophos Connect client

You can import groups from LDAP, AD, and other directories. XG Firewall allows access for users who belong to the groups based on the assigned policy.

Users who belong to these groups must sign in to the user portal. The sign-in adds these users to XG Firewall. XG Firewall can then authenticate the users and allow them to access the VPN connection.


XG Firewall is now available over the Nutanix AHV and Nutanix Flow infrastructure. XG Firewall secures traffic using the following two modes of operation:

  • Next-generation firewall protection for Nutanix infrastructure using route mode.
  • East-west protection for individual virtual machines and applications with Nutanix Flow micro-segmentation using non-IP bridge mode.


XG Firewall also supports C5, M5, and T3 instances. The firewall now supports CloudFormation Templates, eliminating the need to run the installation wizard in some instances.

Zones for custom gateways

You can assign any zone to a custom gateway.

You can create a virtual WAN zone on custom gateways for single arm usage after deployment. On single arm (a single interface in AWS or Azure), you can create more than one custom gateway and attach different zones to these gateways. You can then create access and security rules for traffic going to these zones.

XG Firewall doesn’t allow the following actions:

You can’t set the zone for the default gateway.
Custom gateways don’t participate in load balancing even for the WAN zone.
XG Firewall doesn’t apply the custom gateway zone if a migrated policy route applies to the traffic. These are policy routes migrated to 18.0 from earlier versions.
XG Firewall doesn’t perform VPN lookups when the WAN zone is marked through a gateway.
Sophos Central Firewall Management

You can use Sophos Central to manage XG Firewall devices running in active-active and active-passive HA configurations. You can also use the functionality with the earlier 18.0 versions.

Sophos Central Firewall reporting (CFR)

Customers of CFR Advanced can save, schedule, export, and download reports from Sophos Central.

RED 10

You can’t add RED 10 devices to XG Firewall any longer. The devices already in use will continue to work but without support.