Professional Documents
Culture Documents
EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta
EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta
5
Engineer Delta
Sophos Firewall
Version: 19.5v1
[Additional Information]
Sophos Firewall
EU80: Sophos Firewall v19.5 Engineer Delta
November 2022
Version: 19.5v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means wi thout the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this docume nt may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or represent ations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 30 minutes
This course will cover the changes between Sophos Firewall version 19.0 and Sophos Firewall version
19.5 and is required to maintain your certification.
Prior to completing this course, you must be certified in Sophos Firewall Engineer and any subsequent
delta modules up to version 19.0.
Xstream SD-WAN
Latency 5ms
v19.5
Latency 5ms
Latency 5ms
In Sophos Firewall version 19.0, we introduced SD-WAN Profiles that can select the best gateway
based on performance metrics. If the service level agreement, SLA, is not enabled, the first available
gateway will be used.
In version 19.5, Sophos Firewall can serve traffic through all of the gateways in the profile that meet
the SLA or health check criteria, or if the SLA is not enabled, all available gateways.
Load balancing
Here, you can see two SD-WAN profiles, the first is configured to use the first available gateway, which
was available in version 19.0, and the second is configured to use load balancing among all available
gateways. You can see that for the load balanced SD-WAN profile both gateways are active.
Source IP address
Destination IP address
Source and destination IP address
Connection
When configuring SD-WAN profiles in version 19.5 there is a new option to select the routing strategy.
The ‘First available gateway’ option works the same as SD-WAN profiles in version 19.0, and the ‘Load
balancing’ option will use all available gateways that meet the SLA, if it is enabled.
When the load balancing mode is selected you can select the load balancing method used. You can
use ‘Round-robin’, which distributes the connections to each gateway in turn. Alternatively, you can
choose a session persistence type to use to route the traffic through the same gateway. You can
choose between:
• Source IP address
• Destination IP address
• Source and destination IP address
• Or connection
You can choose to weight the distribution of traffic across the gateways. For example, you may want to
do this if the connections are different speeds. By default, all gateways are given a weight of one.
If you have the service level agreement settings enabled, then only gateways that meet the SLA will be
included in the available gateways for load balancing. The SLA configuration remains the same as it
was in version 19.0.
In the SD-WAN performance charts you can see the distribution of the connections and data across
the gateways. This data can be reset if you are troubleshooting your SD-WAN profile configuration.
https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html
Click Launch Demonstration to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html
To improve the flexibility of SD-WAN on Sophos Firewall, the number of concurrent IPsec tunnels
supported has increased to 10,000 tunnels.
Naming of HA nodes
High Availability Enhancements
Let’s start by looking at the HA node names. You can set the node name in both quick mode and
interactive mode to help you be sure you know which device you are working on. You can also edit the
node name after you have configured the HA cluster.
The node name is shown in various places, including the browser tab, email notifications, and the in
the HA log entries. This makes it much clearer which device the log entries are referring to without
having to lookup the serial number.
Previously you could select a preferred primary device using a checkbox. In version 19.5 this is now
done with a drop-down where you select the specific node you want to be the preferred primary
device when it is available. This helps to prevent any confusion over which device you are setting as
the preferred primary.
Sophos Firewall now supports both LAG and VLAN interfaces for the dedicated HA link.
VLAN interfaces can be pure VLAN interfaces where the parent interface is not configured.
VLAN interfaces can also now be selected as monitoring interfaces in the HA configuration.
If HA is being configured using quick mode, then all of the selected dedicated HA links will be
configured into a LAG automatically. In interactive mode the LAG interface will need to be
preconfigured.
There are a few things to remember when using VLAN interfaces with HA.
If you have selected a VLAN interface as a dedicated HA link, you will not be able to update the parent
interface configuration.
If you use the option, Use host or hypervisor-assigned MAC with a VLAN interface it can cause
instability. If you use the configuration, you will be prompted with a caution message.
When disabling HA, the parent interface configuration will be removed, but the VLAN dedicated HA
link is retained and can be reused.
The visibility of the HA cluster has been improved. You can see the status in the top-right corner of
every page in the admin menu. You will notice that this also includes the name of the node you are
currently working on.
Having the status here means that it is visible on all pages of the Sophos Firewall. Expanding the admin
menu shows the status of each of the nodes in the HA cluster.
The high availability status page has been updated to be clearer. The role and status have been
separated into two columns, and the date and time of the last status change is shown.
You can also see which node was the initial primary device and holds the license for active-passive
clusters.
If you login to the auxiliary node you will now see a banner at the top of the page to clearly show
which device you are on. You cannot change the configuration in a HA cluster from the auxiliary node.
Current status: Primary (Active) from 02:38:21 PM, Nov 02, 2022
Main Menu
1. Network Configuration
2. System Configuration
3. Route Configuration
4. Device Console
5. Device Management
6. VPN Management
7. Shutdown/Reboot Device
0. Exit
When you login to the command line interface of the Sophos Firewall you will now see the host and
node information clearly displayed.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.
Cluster ID | 0
Initial primary | C01001YQ2HKHV7C (Sophos Left Rack 1)
Preferred primary | No preference
Load balancing | Not applicable
Dedicated port | PortH
Monitoring port | PortA,PortB
Keepalive request interval | 250
Keepalive attempts | 16
Hypervisor-assigned MAC addresses | Disabled
Local node
==================================================================================================
Serial number (nodename) | C01001YQ2HKHV7C (Sophos Left Rack 1)
Current HA role | Primary
Dedicated link's IP address | 169.254.192.1
Last status change | 02:38:21 PM, Nov 02, 2022
Peer node
==================================================================================================
Serial number (nodename) | C01001K69QMKY14 (Sophos Left Rack 2)
Current HA role | Auxiliary
Dedicated link's IP address | 169.254.192.2
The output of the system ha show details command has been updated to improve the readability and
include new information such as the preferred primary.
To help ensure the correct device is configured as the initial primary device in active-passive clusters,
additional text has been added where you select the initial device role. This will explain which license
will be used for the cluster.
When you initiate the HA configuration you will see an additional notice to ensure that the correct
node is being set as the initial primary.
Sophos Firewall version 19.5 allows you to configure Azure AD single sign-on for administrators to
login to the web console.
Using Azure AD for the administrator login, allows administrators to have a single username and
password for all the systems they need to access, and provides a single place where you can manage
administrator’s access.
The Azure AD capabilities utilized for this integration are part of the free tier of Azure AD, and our
implementation takes advantage of Open ID Connect and OAuth 2.0 for optimal security.
Select the
authentication server
Add a redirect URI to Add an Azure AD SSO
as an authentication Assign users to the
the app registration authentication server
source for app role
on Azure on Sophos Firewall
administrators on
Sophos Firewall
The configuration process can be broken down in to eight steps, most of which are completed in
Azure.
• Start by creating an app registration in Azure, this will provide the basis for Sophos Firewall to
communicate with Azure
• In the App registration, create a client secret that Sophos Firewall will use to authenticate
• Add an app role to the app registration, this will be used to manage access
• Add API permissions to the app registration, these are the permissions required for Sophos Firewall
to authenticate the users
• Assign users to the app role
• On Sophos Firewall, add an Azure AD SSO authentication server, this is new in version 19.5
• Select the Azure AD SSO authentication service as an authentication source for administrators
• Add a redirect URI to the app registration on Azure so that users are redirected back to Sophos
Firewall once they have authenticated
The configuration is done in Azure AD, and you start by creating a new app registration. Give the app
registration a name and select the redirect URI type as ‘Web’. You will add the redirect URI later.
So the Sophos Firewall can authenticate you will need to create a new client secret. When you create
the secret you can only copy the value once. As soon as you navigate away from the page you lose the
ability to copy it.
When you create the client secret you can choose how long it is valid for. We would recommend
rotating the secret periodically for security.
Create an app role in the app registration. This role will be used to assign a role on Sophos Firewall.
You can create multiple roles that will determine the role the administrator logging in will get on
Sophos Firewall.
You will need to add permissions to the app registration so that Sophos Firewall can retrieve the
information required as part of the login process.
In addition to the default User.Read permission, add User.Read.All and Group.Read.All Microsoft
Graph permissions as Delegated permissions.
Once you have added the permissions, use the Grant admin consent button. If you do not do this step
then administrators will have an additional step to grant the permissions when logging in.
Assign administrators to the app role so they are assigned the correct permissions when they
authenticate.
App Registration
You need to add an Azure AD SSO authentication server and configure it with the details from the app
registration you created in Azure.
You will need to enter the ‘Application (client) ID’ and ‘Directory (tenant) ID’ from the Overview page
of the app registration.
On this page you will find the ‘Web admin console URL’, which will need to be added as the redirect
URI in Azure.
Further down the page you select the fallback user group. This is the group that will be assigned to the
user if they do not match any other group.
You also create a mapping between the app role you created in Azure and the roles on Sophos
Firewall. Enter the value from the role you created in Azure and select the Sophos Firewall role.
Once the authentication server has been created, you need to select it as an authentication method
for Sophos Firewall administrators.
Back in Azure, you need to add the redirect URI from the Azure AD SSO authentication server on
Sophos Firewall to the app registration.
When SSO is configured on Sophos Firewall the login screen will change to give administrators the
choice between using SSO or local credentials to login. If they choose SSO they will be redirected to
the Azure login screen.
https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html
Other Enhancements
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS
FastPath
In version 19.5, Sophos Firewall can now offload the TLS decryption to the Xstream Flow Processor,
resulting in better overall performance with TLS decryption.
This is currently available for the XGS 4300, 4500, 5500, and 6500.
Sophos Firewall version 19.5 implements a new dynamic routing engine that includes support for
OSPFv3, which is for IPv6.
The new routing engine makes better routing decisions as it will take the actual bandwidth into
consideration, and we have also removed the limit on the number of routes or neighbors.
Static route configuration has been updated with administrative distance and metric. The
administrative distance is used to compare distances between routing protocols; for example, the
administrative distance for OSPF is the shortest distance learned for a route. The metric is used for
route selection between static routes.
The default multicast group limit on Sophos Firewall has been increased to 250.
Sophos Firewall will auto-detect and recommend link settings. In the ‘Advanced settings’ section of the
interface you can click Show recommended settings to see them, and them click Load recommended
configuration to update the settings to the recommended parameters.
This includes support for advanced port configurations for high-speed interfaces, and includes forward
error correction, FEC, for 40 gigabit interfaces in XGS 5500 and 6500.
Version 19.5 adds support for breakout cables for 40 gigabit interfaces, splitting them into 10 gigabit
interfaces using DAC or fiber breakout cables.
You can now search for hosts and service objects in Sophos Firewall using both name and
configuration details to return results.
Rotated log files now include a date and time stamp in the filename
The size of the file and number of rotations for each log has been updated
Small desktop devices with no hard disk use different log rotation settings
The log rotation settings have been updated with version 19.5. The rotated log files are now
compressed and include a date and time stamp in the filename, whereas, previously, rotated log files
have not been compressed and used a ‘.0’ extension. This is to provide more space for critical logs to
improve troubleshooting.
There have also been changes to the size of the file and the number of rotations for each log file,
depending on their relative importance.
Small desktop devices with no hard disk use a different set of log rotation settings that stores less data
than other devices.
Over time Sophos’ zero-day protection has been able to increase the size of the files that it supports;
however, as the maximum file size was set on Sophos Firewall it did not keep pace. The maximum file
size for scanning will now be controlled by SophosLabs instead of being determined on Sophos
Firewall. This may increase the number of files submitted to zero-day protection for scanning but can
be managed by SophosLabs depending on threat conditions.
v19.0
v19.5
The option to always cache endpoint updates has been removed in version 19.5. This option enabled
the proxy to selectively aggressively cache content that was determined to be related to endpoint
updates. This was prior to the move to HTTPS updating and before implementation of the DPI engine
as the default method for web filtering. As all traffic to Sophos is excluded from HTTPS decryption,
caching in this way is no longer possible.
Where caching is required, we recommend deploying an update cache from Sophos Central, which is
architected to handle this in the most efficient way.
From Sophos Firewall version 19.0 MR 1, firmware updates on Sophos Firewall require a valid support
license. Three free firmware updates are provided, and mandatory updates that are installed as part of
the initial setup wizard are not counted towards this. Pattern updates are not affected by this change.
For devices that do not have a valid support license applied, a banner is shown on the firmware page
that shows the number of free firmware updates that are left.
You can use SD-WAN profiles to load-balance connections across interfaces. This can be done using
round-robin or session persistence. Links can be weighted to determine how traffic is distributed between
them, and you can use the SLA to select which links will be included in the load balancing.
High availability now supports LAG and VLAN interfaces for the dedicated HA link, and VLAN interfaces for
monitored links. You can name HA nodes and the UI has been improved to make the status of the HA
cluster more visible and make it easier to know which node you are working on.
You can configure single sign-on for administrators to login to the web console using Azure AD. This
allows administrators to have a single username and password for all the systems they need to access and
provides a single place where you can manage administrator’s access.
Here are the three main things you learned in this chapter.
You can use SD-WAN profiles to load-balance connections across interfaces. This can be done using
round-robin or session persistence. Links can be weighted to determine how traffic is distributed
between them, and you can use the SLA to select which links will be included in the load balancing.
High availability now supports LAG and VLAN interfaces for the dedicated HA link, and VLAN interfaces
for monitored links. You can name HA nodes and the UI has been improved to make the status of the
HA cluster more visible and make it easier to know which node you are working on.
You can configure single sign-on for administrators to login to the web console using Azure AD. This
allows administrators to have a single username and password for all the systems they need to access
and provides a single place where you can manage administrator’s access.