Scribd Logo
Upload

Welcome to Scribd!

  • 05 Sophos

    Uploaded by

    cesar hoyos
    12 views23 pages
    The XG Firewall v18 update includes enhancements to visibility, protection, performance and networking capabilities. Key features include the new Xstream architecture with FastPath technology for improved packet processing and throughput, as well as expanded threat intelligence, SSL inspection, and SD-WAN functionality.

    Original Description:

    Original Title

    05_sophos

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The XG Firewall v18 update includes enhancements to visibility, protection, performance and networking capabilities. Key features include the new Xstream architecture with FastPath technology for improved packet processing and throughput, as well as expanded threat intelligence, SSL inspection, and SD-WAN functionality.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    12 views23 pages

    05 Sophos

    Uploaded by

    cesar hoyos
    The XG Firewall v18 update includes enhancements to visibility, protection, performance and networking capabilities. Key features include the new Xstream architecture with FastPath technology for improved packet processing and throughput, as well as expanded threat intelligence, SSL inspection, and SD-WAN functionality.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 23

    XG Firewall v18

    Yannick Escudero
    Settembre 2019
    What’s New in XG Firewall v18
    Enhancements to Visibility, Protection, Performance and Networking

    Xstream Architecture Threat Intelligence Networking Flexibility

    Xstream DPI Engine Deep Learning Analysis SD-WAN Features


    Xstream SSL Inspection Threatometer PBR, NAT, Interfaces
    Xstream Network Flow FastPath Detailed Threat Analysis Reports Much More

    2
    XG Firewall v18.0 EAP 1
    XSTREAM Architecture Rules and Policies
    • SSL inspection • Firewall rules
    • DPI engine • SSL/TLS inspection
    • FastPath • Enterprise NAT

    Network and Routing Protection and Filtering


    • SD-WAN policy routing • Web quotas
    • Interface enhancements • DKIM and BATV
    • Sandstorm and IPS

    Logs, Reporting and Alerts Other Enhancements and


    • Central reporting Upgrading
    • Logging • Authentication
    • Alerts • Upgrading
    XSTREAM Architecture

    SSL Inspection DPI Engine Network Flow FastPath


    High-performance, high- Comprehensive threat protection Intelligent offloading of traffic
    XSTREAM Architecture

    connection capacity across all in a single high-performance processing to transfer trusted


    ports, protocols and applications streaming DPI engine traffic at wire speeds

    Enterprise-grade controls to Proxy-less scanning of traffic for Offloading can be controlled


    optimize security, privacy and AV, IPS, web threats, application through policy or intelligently by
    performance control and SSL inspection the DPI engine based on traffic
    characteristics to accelerate
    Support for TLS 1.3 and all Decrypting traffic provides more important cloud application traffic
    modern cipher suites effective protection from pattern
    changing applications
    Packet Processing Architecture
    FastPath - Initial Connection
    Firewall Stack DPI Engine
    • Connection management • Streaming DPI processing
    • Allow, block, secure decisions • Intelligent offloading
    • DoS and QoS • Proxyless web filtering

    XSTREAM Architecture

    SSL policy and inspection

    FastPath
    • FastPath
    • Forwarding packets – offloading L2& L3
    • Direct delivery to DPI engine
    • DoS and QoS offloading
    FastPath – Full Offload
    Firewall Stack DPI Engine
    • Connection management • Streaming DPI processing
    • Allow, block, secure decisions • Intelligent offloading
    • DoS and QoS • Proxyless web filtering

    XSTREAM Architecture

    SSL policy and inspection

    FastPath
    • FastPath
    • Forwarding packets – offloading L2& L3
    • Direct delivery to DPI engine
    • DoS and QoS offloading
    FastPath - Initial Packet Delivery to DPI Engine
    Firewall Stack DPI Engine
    • Connection management • Streaming DPI processing
    • Allow, block, secure decisions • Intelligent offloading
    • DoS and QoS • Proxyless web filtering

    XSTREAM Architecture

    SSL policy and inspection

    FastPath
    • FastPath
    • Forwarding packets – offloading L2& L3
    • Direct delivery to DPI engine
    • DoS and QoS offloading
    FastPath - Firewall Offload
    Firewall Stack DPI Engine
    • Connection management • Streaming DPI processing
    • Allow, block, secure decisions • Intelligent offloading
    • DoS and QoS • Proxyless web filtering

    XSTREAM Architecture

    SSL policy and inspection

    FastPath
    • FastPath
    • Forwarding packets – offloading L2& L3
    • Direct delivery to DPI engine
    • DoS and QoS offloading
    FastPath - Full Offload of known safe connections
    Firewall Stack DPI Engine
    • Connection management • Streaming DPI processing
    • Allow, block, secure decisions • Intelligent offloading
    • DoS and QoS • Proxyless web filtering

    XSTREAM Architecture

    SSL policy and inspection

    FastPath
    • FastPath
    • Forwarding packets – offloading L2& L3
    • Direct delivery to DPI engine
    • DoS and QoS offloading
    The XSTREAM FastPath technology

    ➢allows low latency high throughput packet forwarding at line speeds

    ➢results in more responsive networking applications

    ➢lowers load on the appliance


    Firewall Rules: Web Filtering (DPI)
    Rules and Policies

    Decrypt Web Content


    example.com on port 80 HTTPS Policy Scan

    example.com on port 443 Web Proxy


    Firewall

    example.com on port xyz


    SSL/TLS Web Content App
    IPS
    Rules Policy Scan Control

    DPI Engine

    FastPath
    Firewall Rules: Web Filtering (Proxy)
    Rules and Policies

    Decrypt Web Content


    example.com on port 80 HTTPS Policy Scan

    example.com on port 443 Web Proxy


    Firewall

    example.com on port xyz


    SSL/TLS Web Content App
    IPS
    Rules Policy Scan Control

    DPI Engine

    FastPath
    DPI Web Filtering is beneficial for

    ➢High performance, low latency web filtering

    ➢Capability to offload trusted connections to FastPath

    ➢Lowering load on the appliance


    Enterprise grade SSL/TLS Inspection Rules
    Rules and Policies

    New SSL inspection engine in Decrypted packets are sent


    SSL policy is decoupled from
    v18 that is port and to IPS, application control,
    firewall policies
    application agnostic web filtering and antivirus
    Benefits of the new SSL/TLS inspection
    ➢Port and application agnostic SSL/TLS scanning enhances security and
    visibility across all SSL/TLS encrypted traffic

    ➢Allows granular, customizeable SSL/TLS decryption policies to comply


    personal security and regulatory requirements (as for example PCI-DSS
    etc.)

    ➢Allows – uniquely in the market – specific application based SSL/TLS


    policies for Synchronized Security recognized Applications
    Enterprise NAT
    Rules and Policies

    You can create a linked NAT


    NAT rules have been
    rule that matches on the NAT rules still require
    decoupled from firewall
    same criteria as the firewall firewall rules to allow traffic
    rules
    rule it is linked to
    Supported NAT Types
    SNAT (source NAT) Loopback policy
    Dynamic IP and port (mapped internally) One-click in UI
    Change the source port and/or IP address Allows internal traffic to access services using
    the public IP of the XG Firewall
    Rules and Policies

    DNAT (destination NAT)


    Many-to-one, one-to-one, one-to-many Linked NAT policy
    Change the destination port and/or IP
    SNAT rule that will match on the same criteria
    address
    as a linked firewall rule

    Reflexive policy
    NAT load balancing
    One-click in UI
    Allows traffic to traverse the NAT in the Round robin, random, sticky IP,
    opposite direction first alive, one-to-one
    Enterprise NAT
    Added Power and Flexibility
    Enhancements
    • Dedicated Table for NAT Rules
    • Source NAT and Destination NAT in a
    single rule – easier simpler NAT rules
    with better visibility
    • Snap-in NAT Rules to Firewall Rules with
    inline creation
    • One-click Loopback and Reflexive Policy
    Rule Options

    19
    Benefits of the Enterprise NAT features

    • Simplified NAT handling due decoupling from firewall policies

    • Full featured NAT capabilities to cover all upcoming NAT’ing demands

    • NAT Loadbalacing allows redundancy and/or loadbalancing of NAT’ed


    connections
    Many other V18 enhancements as…
    • Renameable interfaces • Radius timeout with 2FA
    • VLAN’s on bridges • DHCP Relay enhancements
    • SNMPv3 • Secure Syslog with standard Syslog
    • Log viewer enhancements • Dynamic GeoIP Databse
    • Firewall rule management • Jumbo Frame Support
    enhancements • Bridge Interface enhancements
    • Enhanced DDNS support • Web policy enhancements
    • Alerts & notifications enhancements • Sandstorm Threat Intelligence
    • DKIM & BATV Anti Spam Protection Analysis
    • Kerberos Authentication • SD-WAN Policy Routing
    Planned V18 Schedule
    • September 2019 – Public customer and partner Early Access Program (EAP)
    begins
    • Beginning of 2020– General Availability

    Between September and January 2020 there will be multiple EAP phases as
    the team continues to roll out updates to EAP participants.

    Disclaimer: Plan may vary, as this is an outlook into the future…

    You might also like