Version 19.0 GA Build 317

SD-WAN profiles

VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.

We now offer Xstream SD-WAN on the firewall:

• Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
• Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
• Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
• SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
• Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.

Xstream FastPath acceleration

IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor’s hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren’t offloaded. See FastPath acceleration.

Web

• Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
• Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
• X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.

VPN

User experience

The VPN menu and user interface have been reorganized to make it more intuitive:

• Remote access and site-to-site VPN are individual left menu items.
• IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
• IPsec policies have been renamed IPsec profiles. It’s now under System > Profiles.
• The new assistant for remote access SSL VPN streamlines and enables easy configuration.
• Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
• Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.

Feature enhancements

Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:

• Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
• Added the option to increase idle time-out from 10 minutes to 6 hours.

Route-Based VPN (RBVPN)

• Added support for static multicast routes.
• You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.

GCM and Suite-B cipher suite support for IPsec

• AES-GCM for IPsec significantly improves IPsec VPN performance.

SSL VPN

• Upgraded OpenVPN and OpenSSL.
• Default TLS 1.3 support on SSL VPN tunnels.
• AES-NI path-enabled.
• GCM encryption support.
• Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.

VPN logging

VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.

AWS VPC

The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.

Other enhancements

• DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
• Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you’ve been using IPS, it’s set to On.
• Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
• Authentication: Improved authentication performance that eases high-load situations with thousands of users.
• Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
• Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
• Anti-spam engine: Email protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine for anti-spam scanning. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
• Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.

User experience

• Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
• Search functionality:
  • Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
  • Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
• Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.