EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta

Sophos Firewall v19.
5
Engineer Delta
Sophos Firewall
Version: 19.5v1
[Additional Information]
Sophos Firewall
EU80: Sophos Firewall v19.5 Engineer Delta
November 2022
Version: 19.5v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means wi thout the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this docume nt may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or represent ations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
Sophos Firewall v19.5 Engineer Delta- 1

About This Course
PREREQUISTES
This course will cover the
changes between Sophos ✓ You must be certified in Sophos Firewall Engineer
and any subsequent delta modules up to version
Firewall version 19.0 and Sophos 19.0
Firewall version 19.5 and is
required to maintain your
certification.
DURATION 30 minutes
This course will cover the changes between Sophos Firewall version 19.0 and Sophos Firewall version
19.5 and is required to maintain your certification.
Prior to completing this course, you must be certified in Sophos Firewall Engineer and any subsequent
delta modules up to version 19.0.
This course will take around 30 minutes to complete.

Xstream SD-WAN
Xstream SD-WAN

SD-WAN Profile Load Balancing
v19.0
Latency 5ms
Xstream SD-WAN
Latency 5ms
v19.5
Latency 5ms
Latency 5ms
In Sophos Firewall version 19.0, we introduced SD-WAN Profiles that can select the best gateway
based on performance metrics. If the service level agreement, SLA, is not enabled, the first available
gateway will be used.
In version 19.5, Sophos Firewall can serve traffic through all of the gateways in the profile that meet
the SLA or health check criteria, or if the SLA is not enabled, all available gateways.

First available gateway

Xstream SD-WAN
Load balancing
Here, you can see two SD-WAN profiles, the first is configured to use the first available gateway, which
was available in version 19.0, and the second is configured to use load balancing among all available
gateways. You can see that for the load balanced SD-WAN profile both gateways are active.

Xstream SD-WAN
Source IP address
Destination IP address
Source and destination IP address
Connection
When configuring SD-WAN profiles in version 19.5 there is a new option to select the routing strategy.
The ‘First available gateway’ option works the same as SD-WAN profiles in version 19.0, and the ‘Load
balancing’ option will use all available gateways that meet the SLA, if it is enabled.
When the load balancing mode is selected you can select the load balancing method used. You can
use ‘Round-robin’, which distributes the connections to each gateway in turn. Alternatively, you can
choose a session persistence type to use to route the traffic through the same gateway. You can
choose between:
• Source IP address
• Destination IP address
• Source and destination IP address
• Or connection

Xstream SD-WAN
You can choose to weight the distribution of traffic across the gateways. For example, you may want to
do this if the connections are different speeds. By default, all gateways are given a weight of one.

Xstream SD-WAN
If you have the service level agreement settings enabled, then only gateways that meet the SLA will be
included in the available gateways for load balancing. The SLA configuration remains the same as it
was in version 19.0.

Xstream SD-WAN
In the SD-WAN performance charts you can see the distribution of the connections and data across
the gateways. This data can be reset if you are troubleshooting your SD-WAN profile configuration.

Video Demo: SD-WAN Profile Load Balancing
In this short demo you will see how to configure SD-WAN

profile load balancing on Sophos Firewall.
LAUNCH DEMONSTRATION CONTINUE
https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html
Please watch this video demonstration.
Click Launch Demonstration to start. Once you have finished, click Continue.
https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html

IPsec Tunnels
Xstream SD-WAN
Concurrent IPsec tunnel support

increased to 10,000 tunnels
To improve the flexibility of SD-WAN on Sophos Firewall, the number of concurrent IPsec tunnels
supported has increased to 10,000 tunnels.

High Availability Enhancements

Naming of HA nodes
Configure preferred primary node
Support for LAG and VLANs as dedicated HA links
Improved HA status visibility
UI improvements for configuration and status
In version 19.5 there are a number of HA enhancements, including:

• The ability to name HA nodes so that administrators can more easily determine which node
messages relate to
• Configuration of a preferred primary node
• Support for LAG and VLANs as dedicated HA links
• Improved HA status visibility
• And several UI improvements for the configuration and HA status

Naming HA Nodes
Let’s start by looking at the HA node names. You can set the node name in both quick mode and
interactive mode to help you be sure you know which device you are working on. You can also edit the
node name after you have configured the HA cluster.

Naming HA Nodes
The node name is shown in various places, including the browser tab, email notifications, and the in
the HA log entries. This makes it much clearer which device the log entries are referring to without
having to lookup the serial number.

Configure Preferred Primary Node
Previously you could select a preferred primary device using a checkbox. In version 19.5 this is now
done with a drop-down where you select the specific node you want to be the preferred primary
device when it is available. This helps to prevent any confusion over which device you are setting as
the preferred primary.

LAG and VLAN Support
Sophos Firewall now supports both LAG and VLAN interfaces for the dedicated HA link.
LAG interfaces can include up to 4 interfaces.
VLAN interfaces can be pure VLAN interfaces where the parent interface is not configured.
VLAN interfaces can also now be selected as monitoring interfaces in the HA configuration.

Additional information in
the notes
LAG and VLAN Support
If HA is being configured using quick mode, then all of the selected dedicated HA links will be
configured into a LAG automatically. In interactive mode the LAG interface will need to be
preconfigured.

VLAN Support
You cannot update the parent interface of VLAN
Use host or hypervisor-assigned MAC with VLAN

can cause instability
When disabling HA, parent interface removed but

VLAN remains
There are a few things to remember when using VLAN interfaces with HA.
If you have selected a VLAN interface as a dedicated HA link, you will not be able to update the parent
interface configuration.
If you use the option, Use host or hypervisor-assigned MAC with a VLAN interface it can cause
instability. If you use the configuration, you will be prompted with a caution message.
When disabling HA, the parent interface configuration will be removed, but the VLAN dedicated HA
link is retained and can be reused.

Improved HA Status Visibility
The visibility of the HA cluster has been improved. You can see the status in the top-right corner of
every page in the admin menu. You will notice that this also includes the name of the node you are
currently working on.
Having the status here means that it is visible on all pages of the Sophos Firewall. Expanding the admin
menu shows the status of each of the nodes in the HA cluster.

UI Improvements
The high availability status page has been updated to be clearer. The role and status have been
separated into two columns, and the date and time of the last status change is shown.
You can also see which node was the initial primary device and holds the license for active-passive
clusters.

UI Improvements
If you login to the auxiliary node you will now see a banner at the top of the page to clearly show
which device you are on. You cannot change the configuration in a HA cluster from the auxiliary node.

UI Improvements
Sophos Firmware Version: SFOS 19.5.0 EAP1-Build144
Model: SFVUNL
Hostname: lon-gw1.sophos.local
HA node name: Sophos Left Rack 1
Current status: Primary (Active) from 02:38:21 PM, Nov 02, 2022
Main Menu
1. Network Configuration
2. System Configuration
3. Route Configuration
4. Device Console
5. Device Management
6. VPN Management
7. Shutdown/Reboot Device
0. Exit
Select Menu Number [0-7]:
When you login to the command line interface of the Sophos Firewall you will now see the host and
node information clearly displayed.

UI Improvements
Sophos Firewall
===============
(C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.
For Sophos End User Terms of Use - https://www.sophos.com/en-

us/legal/sophos-end-user-terms-of-use.aspx
NOTE: If not explicitly approved by Sophos support, any modifications

done through this option will void your support.
SFVUNL_HV01_SFOS 19.5.0 EAP1-Build144 HA-Primary#
In the advanced shell the node role is shown in the prompt.

UI Improvements
console> system ha show details
HA details
==================================================================================================
HA status | Enabled
HA mode | Active-passive
Cluster ID | 0
Initial primary | C01001YQ2HKHV7C (Sophos Left Rack 1)
Preferred primary | No preference
Load balancing | Not applicable
Dedicated port | PortH
Monitoring port | PortA,PortB
Keepalive request interval | 250
Keepalive attempts | 16
Hypervisor-assigned MAC addresses | Disabled
Local node
==================================================================================================
Serial number (nodename) | C01001YQ2HKHV7C (Sophos Left Rack 1)
Current HA role | Primary
Dedicated link's IP address | 169.254.192.1
Last status change | 02:38:21 PM, Nov 02, 2022
Peer node
==================================================================================================
Serial number (nodename) | C01001K69QMKY14 (Sophos Left Rack 2)
Current HA role | Auxiliary
Dedicated link's IP address | 169.254.192.2
The output of the system ha show details command has been updated to improve the readability and
include new information such as the preferred primary.

UI Improvements
To help ensure the correct device is configured as the initial primary device in active-passive clusters,
additional text has been added where you select the initial device role. This will explain which license
will be used for the cluster.

UI Improvements
When you initiate the HA configuration you will see an additional notice to ensure that the correct
node is being set as the initial primary.

Azure AD SSO for Web Console Login
Azure AD SSO for Web Console

Login

Sophos Firewall Azure AD
Single username and password for administrators

Dynamically manage administrators using roles and groups
Uses Open ID Connect and Oauth 2.0
Works with Azure AD free tier
Sophos Firewall version 19.5 allows you to configure Azure AD single sign-on for administrators to
login to the web console.
Using Azure AD for the administrator login, allows administrators to have a single username and
password for all the systems they need to access, and provides a single place where you can manage
administrator’s access.
The Azure AD capabilities utilized for this integration are part of the free tier of Azure AD, and our
implementation takes advantage of Open ID Connect and OAuth 2.0 for optimal security.

Configuration Process
Create a new client Add API permissions

Create an app Add an app role to
secret in the app to the app
registration in Azure the app registration
registration registration
Select the
authentication server
Add a redirect URI to Add an Azure AD SSO
as an authentication Assign users to the
the app registration authentication server
source for app role
on Azure on Sophos Firewall
administrators on
Sophos Firewall
The configuration process can be broken down in to eight steps, most of which are completed in
Azure.
• Start by creating an app registration in Azure, this will provide the basis for Sophos Firewall to
communicate with Azure
• In the App registration, create a client secret that Sophos Firewall will use to authenticate
• Add an app role to the app registration, this will be used to manage access
• Add API permissions to the app registration, these are the permissions required for Sophos Firewall
to authenticate the users
• Assign users to the app role
• On Sophos Firewall, add an Azure AD SSO authentication server, this is new in version 19.5
• Select the Azure AD SSO authentication service as an authentication source for administrators
• Add a redirect URI to the app registration on Azure so that users are redirected back to Sophos
Firewall once they have authenticated

Create an App Registration on Azure
Let’s look at each of these steps in a little more detail.
The configuration is done in Azure AD, and you start by creating a new app registration. Give the app
registration a name and select the redirect URI type as ‘Web’. You will add the redirect URI later.

Create a New Client Secret for the App Registration
Once you navigate away from this

page you can no longer copy the
secret!
So the Sophos Firewall can authenticate you will need to create a new client secret. When you create
the secret you can only copy the value once. As soon as you navigate away from the page you lose the
ability to copy it.
When you create the client secret you can choose how long it is valid for. We would recommend
rotating the secret periodically for security.

Add an App Role to the App Registration
Create an app role in the app registration. This role will be used to assign a role on Sophos Firewall.
You can create multiple roles that will determine the role the administrator logging in will get on
Sophos Firewall.
You can only assign one role to a user.

Add API Permissions to the App Registration
You will need to add permissions to the app registration so that Sophos Firewall can retrieve the
information required as part of the login process.
In addition to the default User.Read permission, add User.Read.All and Group.Read.All Microsoft
Graph permissions as Delegated permissions.
Once you have added the permissions, use the Grant admin consent button. If you do not do this step
then administrators will have an additional step to grant the permissions when logging in.

Assign Users to the App Role
Assign administrators to the app role so they are assigned the correct permissions when they
authenticate.

Add an Azure AD SSO Authentication Server on Sophos Firewall
App Registration
The next step is to configure Sophos Firewall.
You need to add an Azure AD SSO authentication server and configure it with the details from the app
registration you created in Azure.
You will need to enter the ‘Application (client) ID’ and ‘Directory (tenant) ID’ from the Overview page
of the app registration.
You also need to enter the client secret you created.
On this page you will find the ‘Web admin console URL’, which will need to be added as the redirect
URI in Azure.

Add an Azure AD SSO Authentication Server on Sophos Firewall
Further down the page you select the fallback user group. This is the group that will be assigned to the
user if they do not match any other group.
You also create a mapping between the app role you created in Azure and the roles on Sophos
Firewall. Enter the value from the role you created in Azure and select the Sophos Firewall role.

Enable the Authentication Server for Administrator Logins
Once the authentication server has been created, you need to select it as an authentication method
for Sophos Firewall administrators.

Add a Redirect URL to the App Registration on Azure
Back in Azure, you need to add the redirect URI from the Azure AD SSO authentication server on
Sophos Firewall to the app registration.

Web Console Login with SSO Enabled
When SSO is configured on Sophos Firewall the login screen will change to give administrators the
choice between using SSO or local credentials to login. If they choose SSO they will be redirected to
the Azure login screen.

Simulation: Sophos Firewall Admin Azure SSO for Web Console
In this simulation you will configure single sign-on for

administrators using Azure AD.
LAUNCH SIMULATION CONTINUE
https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html
Please complete this simulation.
Click Launch Simulation to start. Once you have finished, click Continue.
https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html

Other Enhancements
Other Enhancements

Xstream TLS Decryption
DPI Engine
App
TLS IPS AV
Other Enhancements
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS
DoS VPN FW TLS VPN QoS
FastPath
Currently available for XGS 4300/4500/5500/6500
In version 19.5, Sophos Firewall can now offload the TLS decryption to the Xstream Flow Processor,
resulting in better overall performance with TLS decryption.
This is currently available for the XGS 4300, 4500, 5500, and 6500.

New Routing Engine
Support for OSPFv3 for IPv6

Other Enhancements
Better routing decisions taking bandwidth into consideration
Removed limit on the number of routes/neighbors
Sophos Firewall version 19.5 implements a new dynamic routing engine that includes support for
OSPFv3, which is for IPv6.
The new routing engine makes better routing decisions as it will take the actual bandwidth into
consideration, and we have also removed the limit on the number of routes or neighbors.

Static Routing
Other Enhancements
Compare distances between

routing protocols
Route select between static routes
Static route configuration has been updated with administrative distance and metric. The
administrative distance is used to compare distances between routing protocols; for example, the
administrative distance for OSPF is the shortest distance learned for a route. The metric is used for
route selection between static routes.

Static Routing
Other Enhancements
The default multicast group limit has

been increased to 250
The default multicast group limit on Sophos Firewall has been increased to 250.

Interface Link Settings Detection
Other Enhancements
Sophos Firewall will auto-detect and recommend link settings. In the ‘Advanced settings’ section of the
interface you can click Show recommended settings to see them, and them click Load recommended
configuration to update the settings to the recommended parameters.
This includes support for advanced port configurations for high-speed interfaces, and includes forward
error correction, FEC, for 40 gigabit interfaces in XGS 5500 and 6500.

Breakout Interface Support
Other Enhancements
Version 19.5 adds support for breakout cables for 40 gigabit interfaces, splitting them into 10 gigabit
interfaces using DAC or fiber breakout cables.

Host and Service Object Search
Other Enhancements
You can now search for hosts and service objects in Sophos Firewall using both name and
configuration details to return results.

Log Rotation
Rotated log files are now compressed

Other Enhancements
Rotated log files now include a date and time stamp in the filename
The size of the file and number of rotations for each log has been updated
Small desktop devices with no hard disk use different log rotation settings
The log rotation settings have been updated with version 19.5. The rotated log files are now
compressed and include a date and time stamp in the filename, whereas, previously, rotated log files
have not been compressed and used a ‘.0’ extension. This is to provide more space for critical logs to
improve troubleshooting.
There have also been changes to the size of the file and the number of rotations for each log file,
depending on their relative importance.
Small desktop devices with no hard disk use a different set of log rotation settings that stores less data
than other devices.

Zero-Day Protection File Size Limit Controlled by Sophos
Maximum file size for scanning hard coded on

Other Enhancements
v19.0 Sophos Firewall
Maximum file size for scanning controlled by

v19.5 SophosLabs
Over time Sophos’ zero-day protection has been able to increase the size of the files that it supports;
however, as the maximum file size was set on Sophos Firewall it did not keep pace. The maximum file
size for scanning will now be controlled by SophosLabs instead of being determined on Sophos
Firewall. This may increase the number of files submitted to zero-day protection for scanning but can
be managed by SophosLabs depending on threat conditions.

Removed Caching of Endpoint Updates
Other Enhancements
v19.0
v19.5
The option to always cache endpoint updates has been removed in version 19.5. This option enabled
the proxy to selectively aggressively cache content that was determined to be related to endpoint
updates. This was prior to the move to HTTPS updating and before implementation of the DPI engine
as the default method for web filtering. As all traffic to Sophos is excluded from HTTPS decryption,
caching in this way is no longer possible.
Where caching is required, we recommend deploying an update cache from Sophos Central, which is
architected to handle this in the most efficient way.

Firmware Updates
From v19.0 MR 1, firmware updates require a valid support license

Other Enhancements
Three free firmware updates
Mandatory updates during initial setup wizard do not count
Pattern updates are not affected
From Sophos Firewall version 19.0 MR 1, firmware updates on Sophos Firewall require a valid support
license. Three free firmware updates are provided, and mandatory updates that are installed as part of
the initial setup wizard are not counted towards this. Pattern updates are not affected by this change.

Additional information in
the notes
Firmware Updates
Other Enhancements
For devices that do not have a valid support license applied, a banner is shown on the firmware page
that shows the number of free firmware updates that are left.

Course Review
You can use SD-WAN profiles to load-balance connections across interfaces. This can be done using
round-robin or session persistence. Links can be weighted to determine how traffic is distributed between
them, and you can use the SLA to select which links will be included in the load balancing.
High availability now supports LAG and VLAN interfaces for the dedicated HA link, and VLAN interfaces for
monitored links. You can name HA nodes and the UI has been improved to make the status of the HA
cluster more visible and make it easier to know which node you are working on.
You can configure single sign-on for administrators to login to the web console using Azure AD. This
allows administrators to have a single username and password for all the systems they need to access and
provides a single place where you can manage administrator’s access.
Here are the three main things you learned in this chapter.
You can use SD-WAN profiles to load-balance connections across interfaces. This can be done using
round-robin or session persistence. Links can be weighted to determine how traffic is distributed
between them, and you can use the SLA to select which links will be included in the load balancing.
High availability now supports LAG and VLAN interfaces for the dedicated HA link, and VLAN interfaces
for monitored links. You can name HA nodes and the UI has been improved to make the status of the
HA cluster more visible and make it easier to know which node you are working on.
You can configure single sign-on for administrators to login to the web console using Azure AD. This
allows administrators to have a single username and password for all the systems they need to access
and provides a single place where you can manage administrator’s access.

TRAINING FEEDBACK
Feedback is always welcome

Please email globaltraining@sophos.com
Feedback on our courses is always welcome.
Please email us at globaltraining@sophos.com with your comments.


EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta

Uploaded by

Copyright:

Available Formats

Sophos Firewall v19.

Sophos Firewall v19.5 Engineer Delta- 1

This course will take around 30 minutes to complete.

Sophos Firewall v19.5 Engineer Delta- 2

Sophos Firewall v19.5 Engineer Delta- 4

Sophos Firewall v19.5 Engineer Delta- 5

First available gateway

Sophos Firewall v19.5 Engineer Delta- 6

Sophos Firewall v19.5 Engineer Delta- 7

Sophos Firewall v19.5 Engineer Delta- 8

Sophos Firewall v19.5 Engineer Delta- 9

Sophos Firewall v19.5 Engineer Delta- 10

In this short demo you will see how to configure SD-WAN

LAUNCH DEMONSTRATION CONTINUE

Please watch this video demonstration.

Sophos Firewall v19.5 Engineer Delta- 11

Concurrent IPsec tunnel support

Sophos Firewall v19.5 Engineer Delta- 12

High Availability Enhancements

Sophos Firewall v19.5 Engineer Delta- 13

Configure preferred primary node

Support for LAG and VLANs as dedicated HA links

Improved HA status visibility

UI improvements for configuration and status

In version 19.5 there are a number of HA enhancements, including:

Sophos Firewall v19.5 Engineer Delta- 14

Sophos Firewall v19.5 Engineer Delta- 15

Sophos Firewall v19.5 Engineer Delta- 16

Sophos Firewall v19.5 Engineer Delta- 17

LAG interfaces can include up to 4 interfaces.

Sophos Firewall v19.5 Engineer Delta- 18

Sophos Firewall v19.5 Engineer Delta- 19

You cannot update the parent interface of VLAN

Use host or hypervisor-assigned MAC with VLAN

When disabling HA, parent interface removed but

Sophos Firewall v19.5 Engineer Delta- 20

Sophos Firewall v19.5 Engineer Delta- 21

Sophos Firewall v19.5 Engineer Delta- 22

Sophos Firewall v19.5 Engineer Delta- 23

Select Menu Number [0-7]:

Sophos Firewall v19.5 Engineer Delta- 24

For Sophos End User Terms of Use - https://www.sophos.com/en-

NOTE: If not explicitly approved by Sophos support, any modifications

SFVUNL_HV01_SFOS 19.5.0 EAP1-Build144 HA-Primary#

In the advanced shell the node role is shown in the prompt.

Sophos Firewall v19.5 Engineer Delta- 25

Sophos Firewall v19.5 Engineer Delta- 26

Sophos Firewall v19.5 Engineer Delta- 27

Sophos Firewall v19.5 Engineer Delta- 28

Azure AD SSO for Web Console

Sophos Firewall v19.5 Engineer Delta- 29

Sophos Firewall Azure AD

Single username and password for administrators

Sophos Firewall v19.5 Engineer Delta- 30

Create a new client Add API permissions

Sophos Firewall v19.5 Engineer Delta- 31

Let’s look at each of these steps in a little more detail.

Sophos Firewall v19.5 Engineer Delta- 32

Once you navigate away from this

Sophos Firewall v19.5 Engineer Delta- 33

You can only assign one role to a user.

Sophos Firewall v19.5 Engineer Delta- 34

Sophos Firewall v19.5 Engineer Delta- 35