New features

This section contains the new features for 18.0 MR4.

Sophos Cloud Optix

For XG Firewall instances deployed in the AWS environment, you can see their VPC details in the topology section in Sophos Cloud Optix. For more details, see Cloud Optix help.

Amazon Web Services

Routing-based redundancy enhancements are available on the AWS platform.

Sophos Central

You can register HA devices with Sophos Central and manage them centrally. Both devices must be on 18.0 MR4. You must configure HA on the web admin console of XG Firewall.

High availability

Improvements to FastPath offload for HA active-passive configurations.

Sophos Connect client

The Sophos Connect client menu has been renamed IPsec (remote access). It’s available on VPN > IPsec (remote access). You can configure the IPsec remote access configuration on this page. It also offers the advanced settings that were earlier available only through Sophos Connect Admin.

Turning off «Use as default gateway» on the web admin console may prevent connections from being established if the existing configuration files don’t match the advanced settings. If you make changes to any of the advanced settings on the web admin console, you must send the updated .scx file to users for reimport into the Sophos Connect client.

Users can download the Sophos Connect client from VPN > Sophos Connect client (IPsec and SSL VPN) on the user portal. The available client versions and the remote access connections users can establish are as follows:

  • Windows: Sophos Connect client 2.0 (IPsec and SSL VPN connections).
  • macOS: Sophos Connect client 1.4 (Currently, only IPsec connections).

For more information, see remote access VPN help.


XG Firewall blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports. It won’t implement any policy or exclusion that allows these pages.

RADIUS server

An optional Domain name field, which creates a local entry in the format user@domainname for RADIUS users, is available. The setting eliminates the issue of two entries being created automatically when authentication is based on both AD and RADIUS servers, for example, when the primary authentication method is AD, but VPN or multi-factor authentication uses RADIUS.

Synchronized Application Control

You can also set the automatic cleanup time to one month.


This section describes the security enhancements introduced in XG Firewall 18.0 MR4.

SSL VPN: XG Firewall enforces TLS 1.2 for SSL VPN connections.

  • Site-to-site connections: Both SSL VPN server and client firewalls must be on 18.0 MR4.
  • Remote access connections: These connections use OpenVPN client 2.3.8 and later. The Sophos Connect client 2.0 and legacy SSL VPN client enforce TLS 1.2.

Password security: Introduced a secure hash for storing the password of the admin (default administrator) account. The control center prompts the default administrator to change the current password. We recommend making this change. It’s a one-time requirement.

Password complexity is turned on by default for all passwords, including those for the web admin console and the user portal.

Open SSL: XG Firewall now uses OpenSSL 1.0.2u.

SPX portal: A CAPTCHA is now required for the SPX portal to prevent automated attacks. You can’t turn it off.