Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

The following versions are EOL: 20.0 GA and 20.0 MR1.

For more information, see Retirement calendar.

Version 20.0 MR3 Build 427
Released on December 12, 2024

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

FIPS 140-3 certification

SFOS 20.0 MR1 and subsequent 20.0 maintenance versions are FIPS-compliant.

You can configure Sophos Firewall to use a cryptography library that is certified for the Federal Information Processing Standard 140-3 (FIPS 140-3) level 1 for the following appliances:

XGS Series hardware appliances
Cloud and virtual firewalls

XG and SG Series hardware appliances and software firewalls don't support FIPS.

For details, read Federal Information Processing Standard 140-3 (FIPS 140-3).

Remove the missing heartbeat status of endpoints

Endpoints that move to a missing heartbeat status in the firewall and then move out of the network continue to appear with this status on the control center and in reports. The missing heartbeat status can only change when they reconnect to the network.

A new CLI command allows you to remove the missing heartbeat status for these endpoints based on the number of days their heartbeats have been missing. You can also remove individual endpoints by specifying their names. For more details, see System command for missing-endpoints.

Resolved issues

This maintenance release resolves some issues. To see these, click the Resolved issues tab.

Version 20.0 MR2 Build 378
Released on July 23, 2024

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

New Backup-restore assistant

SFOS 20.0 MR2 introduces the new backup-restore assistant and offers greater flexibility in restoring backups. The version also eliminates all practical restrictions.

Backup-restore assistant: The enhanced backup-restore functionality allows you to see and change the default port mapping in the new assistant. The assistant is available for backups from 19.5 MR4 and later versions restored to 20.0 MR2 and later.

Great flexibility: The following features are available for backups from all supported versions restored to 20.0 MR2 and later:

Wider model compatibility: You can move from a higher to a lower-capacity appliance model and restore existing backups. For example, you can restore backups from a 1US XG Series firewall model to the desktop XGS 126 model of the more powerful XGS Series firewalls. You can also restore backups among hardware appliances, cloud, virtual, and software firewalls.
Change the interface mapping: You can change the default interface mapping and map a physical interface to a different one, including higher-speed ports. For example, you can map a 10 GbE port to a 40 GbE port. You can change the parent interfaces of VLAN and LAG interfaces.
High availability ports: You can restore HA backups to devices with fewer or more interfaces. The dedicated HA link can be on a different port in the target device. See the help page Key interface mapping concepts in 20.0 MR2.

The release eliminates previous limitations that required the target device to have the same number of interfaces and the same dedicated HA link port as the backup.

Backup-restore links

Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch the video Backup-restore enhancements.
See the help page Restore backups to 20.0 MR2.

Other security and flexibility enhancements

More transparent AD SSO experience when HSTS is enforced, enabling the Kerberos or NTLM handshake to take place over HTTP or HTTPS.
Improved interactions with an Active Directory domain when a high availability failover occurs.
Enhanced Web Protection performance with reduced system load when enforcing SafeSearch, YouTube restrictions, Google App login domain restrictions, and Azure AD tenant restrictions.
Cipher compliance: You can set your security balance for cipher compatibility or audit compliance (PCI) by customizing the allowed cipher suites. Read the knowledgebase article TLS 1.1 and cipher support in captive portal and web proxy.

Version 20.0 MR1 Build 342
Released on May 15, 2024

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Important points to know before you upgrade

SSL VPN compatibility for 20.0 MR1 and later with EoL SFOS versions and UTM9 OS

OpenVPN has been upgraded to 2.6.0 in this version. Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:

SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1 and later. We recommend that you upgrade both firewalls to 20.0 MR1 and later versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels. See Remote access SSL VPN with the Sophos Connect client. See Remote access IPsec VPN.
UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1 and later versions. We recommend that you migrate these to 20.0 MR1 and later versions. Alternatively, you can use site-to-site IPsec or RED tunnels.

For site-to-site IPsec tunnels, see Route-based VPN. For RED tunnels, see Site-to-site RED tunnel.

End-of-life RED devices

20.0 MR1 and later versions won't support the following legacy RED devices: RED 15, 15w, and 50. They have been declared end-of-life in 2023. For more details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.

LINCE certification

You can configure the following Sophos Firewall platforms to use a cryptography library that meets Spain's National Essential Security Certification (LINCE):

XGS series hardware appliances
Cloud, virtual, and software firewalls

For more details, read National Essential Security Certification (LINCE).

Device access and Local service ACL exception rules

Device access: This release offers enhancements to the device access grid for access from zones to certain services. The grid has also been grouped to offer intuitive configurations and granular control:

IPsec and RED: IPsec and RED services are available on Device access to allow or block traffic based on zones. For example, you can block access to RED service from WAN while allowing access from other zones.
VPN services: IPsec, SSL VPN, VPN portal, and RED are grouped under VPN services.

Local service ACL exception rule:

List view: The list view of exception rules provides detailed information, such as source, destination, service, and action, with full visibility into the rules, eliminating the need to open the rule to check information.
Services: All the services in the device access grid are now available under services in the exception rule, including RED and IPsec services, offering granular control. For example, you can create an exception rule to allow or block VPN on a specific interface when the service is allowed from WAN. You can also specify the country and IP address, dropping VPN requests from specific countries, such as China, and allow VPN traffic from known FQDNs. The additional services available in exception rules are AD SSO, RADIUS SSO, Captive portal, Client authentication, Chromebook, Wireless, SMTP, SNMP, RED, and IPsec.
Additional object types: The object types, FQDN host, FQDN host group, MAC address, and MAC address list, are available for selection in source and destination hosts, eliminating the need to update dynamic IP addresses in local ACL exception rules.

SD-WAN enhancements for scalability

Scalability: This version brings 4x improvements in the gateway availability time during HA failover and device restart, ensuring minimal traffic disruption.
Detailed information view: SD-WAN routes show important gateway information, such as IP address, interface, and name, when you hover over the gateway while configuring the route.

VPN enhancements

SSL VPN

OpenVPN 3.0: Sophos Firewall is now compatible with OpenVPN 3.0 clients. Users can download the compatible configuration file from the VPN portal.

IPsec VPN

Phase I ciphers: The GCM suite-B ciphers, AES256GCM16, AES192GCM16, and AES128GCM16, are available for Phase I IKEv2 tunnels, offering better throughput and greater interoperability with third-party devices.
System-generated traffic: CLI commands are available to prevent system-generated traffic from flowing through policy-based IPsec tunnels when the remote subnets are set to Any. For details, see the routing commands.
The firewall now uses the upgraded strongSwan version 5.9.11.

DHCP enhancements

IPv6 DHCP prefix delegation: The firewall requests the preferred prefix from the ISP each time you update the interface configuration or when the firewall restarts.
DHCP lease time: DHCP clients will make renewal requests at 30 seconds if the lease interval's half-time is 30 seconds or less, ensuring continuous WAN connectivity.
Boot options: DHCP now supports boot server and boot file options in the DHCP header. You can also continue to send the parameters through specific DHCP options to provision network devices.

Logging enhancements

Download log files: You can download individual log files from the web admin console on the Diagnostics page under Troubleshooting logs. The Consolidated Troubleshooting Report (CTR) continues to have all the log files.
Default log lines in CTR: The default number of log lines for log files in the Consolidated Troubleshooting report is now 10,000.
Syslog delimiter: You can customize the delimiter in syslog event messages, offering flexibility in managing log data.

True Zero Touch configuration

TPM-based True Zero Touch is available to remotely deploy firewalls in branch offices through Sophos Central. You'll specify the firewall configuration in Sophos Central. The remote firewall administrator connects the firewall to the internet and turns it on. The firewall connects to Sophos Central, downloads and applies the configuration, and then registers with Sophos Central. For more details, see the Sophos Central help.

RED

SD-RED now supports bridge configuration for WAN interfaces with the RED tunnel.

Other enhancements

Generative AI assistant: The firewall now provides assistance using Generative AI through Sophos Assistant with dynamic help and configuration steps.
Automatic language detection: The web admin console and user portal automatically select and store the browser's preferred language for languages the firewall supports, offering a seamless sign-in experience.
Custom gateways: Custom gateways now support the link-local address.
Data optimization in Synchronized Application Control: The firewall only retains the recent five occurrences for each application detected by SAC per endpoint.
IPv4 internet host group: Updated the default public IPv4 host ranges to contain all the public IPv4 address ranges.
Object descriptions: Added description fields for IP, MAC, FQDN, and service objects.
Country list: Updated the country list.
Web: In the web proxy, we've refined the Pharming protection feature to address a potential vulnerability arising from modifications to the destination IP address during proxy DNS resolution. With the updated behavior, the firewall policy will now undergo re-evaluation using the DNS-resolved IP address from Pharming protection.
XML API: 20.0 MR1 and later versions don't support the XML API version for the end-of-life versions 17.5 and 18.0. If the APIVersion tag you use shows old versions, change the tag to the supported API versions.

Version 20.0 GA Build 222
Released on November 06, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Active threat response

Active threat response integrates Managed Detection and Response (MDR) threat feeds with Sophos Firewall. Synchronized Security extends to Active threat response, enabling the firewall to automatically shut down active threats in the network.

MDR threat feeds

Active threat response brings the MDR service to Sophos Firewall through MDR threat feeds. Security analysts from the Sophos MDR team (or your XDR SOC team in the future) can share threat intelligence related to your network, pushing active threat information in real time to the firewall. Based on the threat feeds, the firewall automatically blocks traffic, including DNS requests and HTTPS traffic, from any host in the network that tries to communicate with malicious IP addresses, domains, or URLs. Additional rules and policies aren't required for the Active threat response action. Watch the video Active threat response with MDR threat feeds.

Synchronized Security: Active threat response extends Synchronized Security with its automated response based on RED Security Heartbeat to MDR threat feeds in the firewall. Based on the threat feed, the firewall automatically queries any Sophos-managed endpoint attempting to communicate with malicious servers for additional information, such as the host, user, and process, which enables you to determine any Indicators of Compromise (IoC). It prevents compromised endpoints from moving laterally or communicating outward, shutting down active threats in the network.

The release enhances Synchronized Security with added scalability and reduced false missing heartbeats for endpoints in sleep or hibernate status.

Dynamic threat feeds

Sophos X-Ops threat feeds: Advanced threat protection has been renamed Sophos X-Ops threat feeds. It offers periodic updates of threat feeds from SophosLabs.

Extensible framework for dynamic threat feeds: Active threat response introduces a new extensible API framework for dynamic threat feeds in the firewall. The framework enables the following threat intelligence to be shared with the firewall:

Sophos products and services, such as Sophos X-Ops and MDR threat feeds.
Third-party threat feeds in a future release.

Network scalability and resiliency for distributed enterprises

The release offers VPN, IPv6, and SD-WAN enhancements with scalability, security, and interoperability.

VPN enhancements

VPN portal: A new, hardened, and highly secure, containerized self-service VPN portal is available for remote access VPN users. It contains remote access downloads, such as the Sophos Connect Client and configurations, and performs auto-provisioning for remote access VPN connections. It also contains clientless VPN bookmarks.
These services are no longer available in the user portal, minimizing the need to expose the user portal to WAN and tightening its security. To maintain compatibility, the VPN portal is available by default on the previous user portal port (443). It can share a common port with WAF or SSL VPN. The user portal now uses port 4443 by default. See the help for Port sharing among services.

For migration details and how port settings apply from Sophos Central, see the knowledge base article New VPN portal in SFOS 20.0 and later.
FQDNs in SSL VPN: Fully qualified domain name (FQDN) host and group support is available for remote access and site-to-site SSL VPNs. You can select these under permitted, local, and remote networks.
IPsec VPN:
- Stateful HA failover: Seamless transition for route-based, policy-based, and remote access VPNs without losing tunnel connectivity during high-availability failover. Also supports seamless connection failover for stateless protocols with minimal packet loss.
- SNMP monitoring for tunnel status: Added MIB entries to monitor the following IPsec VPN tunnel statuses through SNMP: activate, deactivate, connected. You can download the new MIB file from the web admin console.
- Multiple remote gateway support for route-based VPN: You can enter a wildcard address (*) for the remote gateway in route-based VPNs. This eliminates the need for explicit DDNS or FQDN configuration in dynamic gateway IP deployments.
- Unique preshared keys: You can have unique preshared keys (PSK) for VPN connections with the same local and remote gateway settings if you use IKEv2 profiles and configure a unique set of local and remote IDs.
- DH groups 27 to 30: DH groups 27 to 30 are available for IKEv2 IPsec profiles based on RFC 6954.

Watch the video VPN enhancements.

IPv6 DHCP prefix delegation and BGP, SD-WAN

IPv6 DHCP prefix delegation: Seamless integration with DHCP prefix delegation by ISPs for internal networks. This automates the assignment of IPv6 prefixes to internal subnets, simplifying network setup and reducing manual configuration. Watch the video DHCP prefix delegation.
BGP IPv6: Enhancements to the dynamic routing engine now support BGPv6 for improved IPv6 interoperability. Watch the video IPv6 dynamic routing in Border Gateway Protocol.
SD-WAN scalability: Increased scalability for SD-WAN gateways by 3 times to 3072 gateways and the number of SD-WAN profiles to 1024.

SASE and remote worker protection

In cloud-hosted network security services delivering key remote worker and branch office protection capabilities, ZTNA, SD-WAN, and DNS protection have been integrated into Sophos Firewall (both on-premise and cloud-hosted).

ZTNA Gateway: Sophos ZTNA Gateway is now available in Sophos Firewall, greatly simplifying ZTNA deployment. You can use ZTNA as a replacement for remote access VPN with higher security, seamless scalability, easier management, and a more transparent end-user experience.
- Direct integration in Sophos firewall: The ZTNA gateway is directly integrated into the firewall, eliminating the need for a separate gateway on a VM for remote access to systems and applications hosted behind the firewall. You don't need to deploy additional applications on your network to support ZTNA secure access. You only deploy a single agent on the remote endpoint.
- Free trial: ZTNA free trial is available in Sophos Central. You can use this trial to explore ZTNA and manage the firewall or internally hosted systems and applications with high security.

SD-WAN backbone on-ramping: We built SD-WAN partnerships with top-tier SD-WAN backbone providers to enable smooth and easy on-ramping of local SD-WAN traffic to these high-performance global networks. Sophos Firewall connects seamlessly to these networks, enabling high-performance connectivity and routing, as well as access to their SASE security services. These SD-WAN backbone providers are as follows:
- Akamai SIA integration: With the Akamai Secure Internet Access (SIA) integration, you can on-ramp traffic from Sophos Firewall to Akamai SIA SSE (Security Service Edge) using redundant and resilient SD-WAN over route-based IPsec VPN tunnels. For configuration details, see the recommended read Connect Akamai SIA and Sophos Firewall.
- Cloudflare Magic WAN integration: You can on-ramp traffic from Sophos Firewall to CloudFlare Magic WAN using redundant and resilient SD-WAN over route-based IPsec VPN or GRE tunnels. For configuration details, see the recommended read Connect Cloudflare Magic WAN and Sophos Firewall.
- Azure Virtual WAN: Integration with Azure Virtual WAN offers Sophos Firewall protection to applications and network traffic flows along with scalable SD-WAN connectivity to deploy the Microsoft Global Network as a secure enterprise WAN backbone. For configuration details, see the recommended read How to Integrate Sophos Firewall with Azure Virtual WAN (Secure SD-WAN).

Sophos DNS protection: Sophos Firewall fully supports the upcoming release of Sophos DNS protection, a new cloud-delivered web security service. Sophos DNS Protection delivers a new domain name resolution service (DNS) with compliance and security features hosted by Sophos. The service provides an additional layer of web protection, preventing access to known compromised or malicious domains across all ports, protocols, and applications, including encrypted and unencrypted traffic.
The new Sophos DNS protection service will soon be available for early access.

Quality of life enhancements

Turn interfaces on or off: Turn interfaces on or off while retaining their configurations. The turned-off status appears on the Control center.
You can't turn off alias or tunnel interfaces and members of a LAG or bridge interface, but you can turn off the entire LAG or bridge interface.
Object reference lookup: You can see the usage count of all host and service objects and the list of all locations where the object is in use, such as in rules, policies, and routes. You can edit or remove objects from the object list without going to the location for many locations.
High resolution for web admin console: The web admin console now uses a high-resolution display, delivering a scalable user interface. Tables use the Full HD width (1920 pixels) to show more information, reducing the need to scroll horizontally.
Automatic rollback for failed firmware updates: If a firewall, including high-availability devices, can't complete a firmware upgrade, the firewall (or the cluster) is automatically rolled back to the previous firmware version. An alert appears in the Control center.
Backup-restore: You can restore backups from a firewall with integrated Wi-Fi to a firewall without integrated Wi-Fi. You must remove the wireless networks in the firewall before taking the backup.
Microsoft Entra ID (Azure AD) SSO: Watch the video Captive portal SSO and group import.
- Captive portal: Microsoft Entra ID (Azure AD) SSO now supports user authentication through the captive portal. Version 19.5 added Azure AD SSO authentication for the web admin console.
- Import groups: You can use the new import assistant to import all Microsoft Entra ID (Azure AD) groups or those that match the attributes you specify from Azure Portal. This eliminates the need to create groups manually in the firewall.
- Automatic Azure RBAC: Introduces Role-based Access Control (RBAC). If you change a user's role in Azure Portal, the firewall automatically applies their new role when they next sign in. It also applies the profile and privileges that apply to the new role.

Watch the video Quality of life enhancements.

Web Application Firewall (WAF)

Geo-IP policy enforcement: You can block users from accessing resources protected by WAF from the countries you specify or IP addresses that can't be associated with a specific country.
Custom ciphers and TLS version settings: Enables the use of more secure ciphers while excluding less secure ciphers.
Improved security: Adds HTTP Strict Transport Security (HSTS) for HTTPS enforcement in the client (browser) and X-Content-Type-Options enforcement to provide MIME-type sniffing protection.

Azure enhancements

Azure Single Arm Deployment Support: For Microsoft Azure public cloud deployments, you can choose a smaller instance size with single arm deployments and save your infrastructure costs. This reduces network and operational complexity.

Resolved issues

Version 20.0 MR3 Build 427

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-131711	Authentication	Log message was incorrectly tagged as an error in the access server for STAS.
NC-138431	Authentication	MFA tokens didn't work for SSL VPN users after a firmware upgrade to SFOS 20.0 MR1.
NC-139018	Authentication	After a Microsoft patch, remote access L2TP and PPTP users couldn't connect with RADIUS authentication using CHAP or MS-CHAPv2.
NC-141413	Authentication	Authentication outage occurred because of unresponsive read_from_client.
NC-141584	Authentication	Access server service became unresponsive.
NC-139709	Backup-Restore	The following error message appears when a backup is restored to 20.0 MR2 XG and SG devices: Can't restore backup, insufficient space.
NC-132127	CDB-CFR, CM	The auxiliary device generated alerts that the firewall has lost its connection to Sophos Central.
NC-139323	Certificates	IPS service failed after an upgrade to 20.0 MR1.
NC-135473	Clientless Access	Unable to download the configuration file from the VPN portal after HA failover.
NC-139717	Clientless Access	Hardened XSS protection for the VPN portal.
NC-133133	CM	CM group configuration import failed while importing the configuration from XG 86w.
NC-135944	CM	Unable to manage or access XG Firewall from Sophos Central.
NC-140829	CM	Intermittent issues with internet connectivity.
NC-137123	Core Utils	Low swap memory in a device migrated from 17.5 (virtual deployment with two disks).
NC-135613	DDNS	DDNS doesn't show data on the web admin console.
NC-130236	Email	Email was identified as BULK when the presence of \n concatenates two words in the subject.
NC-133859	Email	DKIM signatures didn't work as expected. Emails were quarantined.
NC-133988	Email	Rejected mail log entries due to message size weren't logged.
NC-134038	Email	Email is bounced or isn't delivered when the subject includes & and SPX is turned on.
NC-130017	IPS-DAQ-NSE	Client-server traffic was dropped without ac_atp exception due to missing support for TCP keepalive attempts on decrypted TLS.
NC-137792	IPS-DAQ-NSE	Core dump during MSS update in DPI engine.
NC-140591	IPS-DAQ-NSE	An AWS website doesn't work with SSL/TLS decryption in DPI mode. Log viewer shows the following error: "TLS handshake fatal alert occurs: decode error(50)".
NC-140666	IPS-DAQ-NSE	Unable to connect Office 365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1.
NC-138180	IPsec	After an upgrade to 20.0 MR1, the auxiliary device was receiving the NAT-T IPsec packets after a rekey.
NC-138822	IPsec	XFRM interface status appears as not configured even when the IPsec tunnel is up.
NC-141503	Postgres	IPS becomes unresponsive and can't be restarted because PG connections exceed the limit.
NC-138286	Reporting	Custom view wasn't listed in the custom report when accessing the firewall through Sophos Central.
NC-139458	SSLVPN	Services page and SSL VPN assistant weren't loading.
NC-139849	SSLVPN	Discrepancies in site-to-site SSL VPN import validation.
NC-141688	UI Framework	Support automatic language detection for SSO login users.
NC-135798	WAF	Setting cache-control to no-cache, no-store for WAF.
NC-136062	WAF	Migration failed due to duplicate names of WAF rules.
NC-136560	WAF	WAF authentication template files disappeared after upgrading to 20.0 MR1.
NC-136403	Web	Web policy override must tell browsers not to autofill bypass codes.
NC-136616	Web	AD SSO wasn't working with Kerberos for a specific server and user.
NC-136099	WebInSnort	SSL/TLS inspection rules containing only unsupported services behave as Service set to Any.
NC-140491	WWAN	Sierra EM9191 modem failed to connect after migration in XGS 116.

Version 20.0 MR2 Build 378

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-131391	Authentication	L2TP authentication isn't working with Windows Automatic Logon enabled in VPN adapter.
NC-132907	Authentication	Access server coredump user disconnection.
NC-127665	CDB-CFR, CM	Firewall shows disconnected status on Sophos Central after the firewall restarts.
NC-136645	Certificates	Certificates from Starfield Secure Certificate Authority - G2 were untrusted in 20.0 MR1.
NC-127253	Clientless Access	HTTP Host header injection in VPN portal.
NC-132845	CSC	Log viewer shows a blank username field when a user is deleted in virtual firewall.
NC-130879	DHCP	DHCP relay fails intermittently, and clients no longer receive an IP address. Changing the DHCP relay configuration makes it work again.
NC-136246	DHCP	DHCP server doesn't start when Boot options are configured with URL.
NC-126576	Email	Greylisting doesn't work.
NC-128229	Email	Turning on SPF check isn't an option to block spoofed emails of the internal domain.
NC-131106	Email	Inbound email isn't delivered to the mailbox when SMTP scanning is on in legacy mode.
NC-132557	Email	HA synchronization issue for email encryption SPX template.
NC-133157	Email	Unable to send backups using Amazon SES.
NC-135882	Email	Regression in IMAP proxy.
NC-134783	Firewall	Unable to see IP Host or MAC host in the firewall.
NC-136153	Firewall	Local ACL exception rule doesn't work for SMTP relay.
NC-136681	Firewall	Unable to access the web admin console of remote firewall with site-to-site VPN using NAT.
NC-125024	Firmware Management	Incorrect pop-up message while updating a standalone HA device.
NC-131100	Firmware Management	SNMP server shows 100 percent /tmp/npu_diag usage.
NC-132862	Firmware Management	SSH Terrapin prefix truncation weakness (CVE-2023-48795).
NC-135340	Firmware Management	Restrict parallel firmware upgrade flows.
NC-130404	HA	License issue in auxiliary device in active-passive HA pair.
NC-135699	HA	Firewall web admin console doesn't respond on HA page.
NC-133495	Interface Management	Can't turn off Port1 if web admin console language is set to German.
NC-136619	Interface Management	udhcpc isn't sending a renew request with a low lease time of 40 seconds.
NC-132542	IPS-DAQ	Memory allocation failure in jumbogram causes IPS log to grow in GBs.
NC-135467	IPsec	Unable to connect IPsec tunnel when the port is turned off, and the local gateway is changed to an active port.
NC-136651	IPsec]	Charon high CPU for IPsec passthrough traffic.
NC-133699	Localization	German language errors in the firewall.
NC-129242	Logging Framework	Notification plugin reconfiguration failure causes crash in fca_output.
NC-136693	Logging Framework	Control center doesn't show bandwidth utilisation by interfaces.
NC-133375	Logging Framework (Central Reporting)	Garner doesn't respond.
NC-128941	NFP-Firewall, XGS-IPsec	Traffic doesn't flow through IPsec tunnel when ipsec-acceleration> is on.
NC-137333	Service Object	Missing entries for Services on web admin console after changes were made.
NC-132821	Static Routing	Staticd service stopped after upgrading the device to 19.5 MR4.
NC-135342	SupportAccess	Support access isn't working after a restart.
NC-131365	UI Framework	DNS server IP address in DHCP server configuration changes unexpectedly in the XG web admin console.
NC-131782	WAF	After a second HA failover, GeoIP settings in WAF rules are lost.
NC-100895	Web	Unable to remove URL from web category when URL contains "\" backward slash character.
NC-113504	Web	Unable to add a second URL with the same parent domain.
NC-115849	Web	Zero-day protection page doesn't load if filename ends in percent.
NC-131685	Web	HTTPS error 502 while browsing URL cosmopolitan.com in legacy web proxy mode due to trailers.
NC-131687	Web	HTTPS error 502 while browsing URL scottdirect.com in legacy web proxy mode because header size was greater than 8k.
NC-128897	WebInSnort	Previously allowed applications get blocked.
NC-132126	Wireless	Wi-Fi separate zone doesn't match the firewall rule.
NC-131582	XGS BSP	No traffic except on the management port after a restart.
NC-132065	XGS BSP	SFP ports don't respond after an upgrade to 20.0.

Version 20.0 MR1 Build 342

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-77828	API Framework	Unable to import user activity that contains web categories with special characters.
NC-122760	AppFilter Policy	Unable to update or push app filter policy from Sophos Central.
NC-120582	Authentication	Updated the log message for brute force sign-in event.
NC-120484	WebInSnort	Firewall stops responding because of out-of-memory issue.
NC-120875	Authentication	AD group import fails when username has special characters.
NC-121619	Authentication	Admin access to the web admin console gets blocked after two wrong attempts when MFA is on.
NC-124603	Authentication	When the primary user group ID is greater than 9999, captive portal disconnects within 5-10 seconds of signing in.
NC-124684	Authentication	Static IP address isn't released sporadically for SSL VPN users.
NC-127830	Authentication	RADIUS users who aren't part of VPN group are able to connect to SSL VPN.
NC-128138	Authentication	Captive portal with custom code isn't working properly.
NC-131097	Authentication	When the AD server connection flaps, ldap_bind blocks for 30 minutes, resulting in time-out and failure of new authentication requests.
NC-131290	Authentication	Web admin console sign-in error when Azure AD SSO is used: Firewall is starting.
NC-125264	Azure	Firmware upgrade of SFOS on Azure to 20.0 GA fails and results in a single NIC if it was configured with three or more NICs.
NC-124919	CDB-CFR, CM, CM (Zero Touch)	Firewall's web admin console shows the ZT and CZT wizard even after ZT and CZT are completed because nvram flag isn't reset.
NC-119857	CM	Firewall's Web admin console stops responding on the Sophos Central page.
NC-124391	CM	VPN tunnel flaps between the firewall and a third-party firewall.
NC-129249	CM, Core Utils	Fixed vulnerabilities in libssh2 CVE-2023-48795 for Sophos Central services. Upgrade to SFOS 20.0 MR2 for the full fix to all firewall services.
NC-127120	Core Utils	Fixed NPU log error.
NC-126965	DHCP	Firewall stops logging DHCP logs, and Garner service doesn't respond and can't be restarted.
NC-128820	DHCP	DHCP server configured with relay agent request with All interface selection doesn't work after migration or restoring a backup.
NC-129171	DHCP	DHCP stopped working after upgrade from 19.5.3 to 20 GA.
NC-117690	DHCP	DHCP Next server and Boot file ignored PXE Boot DHCP options 66 and 67.
NC-116339	Wireless	Hostapd service stops responding after wireless network is added to the access point group.
NC-126738	Interface Management	HA isn't established with VLAN over unbound interface as dedicated link.
NC-125076	Dynamic Routing (BGP), Dynamic Routing (OSPF)	Zebra continuously restarts when configuration contains a gateway IP address that's actually the broadcast IP address.
NC-120967	Email	Inbound and outbound emails are delayed after firmware is upgraded to 19.5.2.
NC-121980	Email	Users receive duplicate emails.
NC-122260	Email	Two email addresses in Return-Path: and From: Header after you release and report emails from Quarantine digest in SFOS 19.5.1 and 19.5.2.
NC-123889	Email	High CPU usage by warren after upgrade to 19.5.3.
NC-124266	Email	Notification emails are getting stuck in mail spool when there is smarthost with RED tunnel setup.
NC-124453	Email	Not able to see, release, or delete emails from SMTP quarantine.
NC-125084	Email	DKIM isn't working as expected.
NC-133277	Email, WAF	UX issue for DH group in IPsec profiles.
NC-119893	Firewall	SFOS is accessible to requests from another network for network and broadcast IP addresses.
NC-123538	Firewall	MAC filter spoof check doesn't work. SPOOF_CHECK chain entry is missing.
NC-123249	Wireless	Access points remain offline if device is restarted after turning off the Wireless Protection option.
NC-124012	Firewall	NAT rule isn't marked even after an upgrade to 19.5.3.
NC-124251	Firewall	RED service doesn't respond.
NC-124551	Firewall	Firewall rules don't work after upgrade from 18.5.3 to 19.5.3.
NC-127532	Firewall	Logviewer shows source IPv6 address in dst_trans_ip field for IPv6 hairpin NAT.
NC-120434	Firmware Management	Discrepancy in HA role status.
NC-125791	Firmware Management	High SWAP memory issue for a virtual appliance.
NC-132224	Firmware Management	Upgrade to 20.0 failed on XGS 87 with Invalid firmware error.
NC-118929	HA	msyncd stops tracking events and doesn't start tracking again.
NC-120730	HA	HA failover results in missing configurations.
NC-124105	HA	Configuration changes show the following error: The Operation will take time to complete. The status can be viewed from the Log viewer page.
NC-128183	Hardware	Flexi module port doesn't work on XGS 2100 after the firewall restarts.
NC-122885	Import-Export Framework	Unable to export user configuration in 20.0.1.
NC-124721	Interface Management	Firewall stops responding and requires a restart.
NC-133495	Interface Management	Can't turn off Port1 if the web admin console language is set to German.
NC-119561	IPS-DAQ	Inject buffer leak causes traffic outage.
NC-124957	IPS-DAQ	FIN and RESET packets leave WAN interface with LAN IP address information.
NC-125294	IPS-DAQ-NSE	Firewall drops reset packet in LAN-to-LAN communication when DPI is on.
NC-130365	IPS-DAQ-NSE	Slower download speed for TLS-inspected traffic from some servers.
NC-121370	IPsec	Memory usage of XG 230 has been increasing since it was upgraded to 19.5.1-Build 278.
NC-123233	IPsec	IPsec SA establishment is sporadically interrupted.
NC-123230	Wireless	LocalWiFi status isn't correctly reflected on the access points page.
NC-124464	IPsec	strongSwan service fails to start after HA failover.
NC-127177	IPS Engine	IPS logs aren't generated in Log viewer.
NC-125251	IPS Ruleset Management	Count issue related to firewall rules with IPS for read-only administrator profile.
NC-68574	Logging Framework	Logs with Central Reporting enabled are sent to unreachable syslog server at 127.0.0.1.
NC-117777	Logging Framework	Network traffic report calculation shows different values at different times.
NC-118327	Logging Framework	Syslog format Standard Syslog Protocol logs with key log_id as both number and string.
NC-122033	Logging Framework	WAN interface graph shows incorrect values for historical data collected five minutes before or after the hour limit.
NC-123602	Logging Framework	/conf partition gradually increases in XG 86 and XGS 87.
NC-123771	Logging Framework (Central Reporting)	Central Report hub doesn't show the past 24-hour statistics from the firewall because SFOS sends reports to Sophos Central at a low rate.
NC-124987	NFP-Firewall	Access to remote network over IPsec VPN stops. Packet capture mitigates the issue.
NC-125112	NFP-Firewall	RED tunnel down in 19.5.3. Turning off firewall acceleration resolved the issue.
NC-128656, NC-128159	nSXLd, CM	nSXLD times out when the first two DNS servers aren't reachable and the third DNS server is reachable.
NC-133022	nSXLd	Fixed the "invalid traveller type" error.
NC-115843	PPPoE	Scheduled PPPoE reconnect doesn't work.
NC-115457	XGS BSP	Fiber interfaces are taking more time to negotiate in XGS than in XG.
NC-128072	PPPoE	Missing PPPoE logs.
NC-123969	RED	Primary device automatically restarts and fails over to the auxiliary.
NC-126941	RED	For site-to-site RED from XG 106, client doesn't automatically reconnect after the tunnel goes down.
NC-130949	RED	Some RED devices went down after firewall firmware was downgraded from 20.0 to 19.5.3.
NC-122948	SDWAN Routing	Garner logs are full with SD-WAN route gateway resolution message.
NC-126363	SDWAN Routing	A firewall rule isn't matched occasionally.
NC-127524	SDWAN Routing	SD-WAN route and default MASQ are applied to system-generated traffic for policy-based IPsec VPN.
NC-124588, NC-124590	SecurityHeartbeat, LCD Framework	Certain heartbeat opcodes are always called with the debug details even though csc isn't in debug mode.
NC-129618	SecurityHeartbeat	Heartbeat service dead due to malformed MAC address.
NC-123237	SSLVPN	Grammar error on the web admin console for route-based VPN connection.
NC-123723	SSLVPN	XG 86w doesn't reconnect SSL VPNs after a restart.
NC-124647	SSLVPN	Unable to connect to SSL VPN after firmware was upgraded to 19.5.3.
NC-128468	SSLVPN	Unable to generate the .ovpn file because of missing server_dn in tblsslvpnglobalconf when custom certificate is used.
NC-128469	SSLVPN	Some AD users are unable to download the SSL VPN configuration file from the user portal.
NC-130692	SSLVPN	Special characters are replaced with encoded values.
NC-130938	SSLVPN	More certificates in .ovpn file than before upgrade.
NC-131180	SSLVPN	SSL VPN remote access resources become inaccessible.
NC-118599	Static Routing	Static route configuration must prevent configuration of the interface IP address as gateway IP address.
NC-120986	Static Routing	When HA is disabled, the previous auxiliary isn't able to update its firmware because of Zebra CLI backend routes.
NC-119425	Synchronized App Control	Garner log filled with "usercache_output: cannot resolve appcatid 0".
NC-119289	Wireless	Hotspot voucher shows SSID WLAN password after removing SSID encryption from wireless network settings.
NC-79314	UI Framework	UX issue on SD-WAN profiles.
NC-118925	UI Framework	Failed to restore backup if the backup file name has & in the prefix.
NC-118913	Wireless	AP firmware isn't automatically updated after AP pattern update.
NC-123712	UI Framework	Web admin console stops responding.
NC-124188	UI Framework	Fixed HTTP Host Header Injection in the user portal.
NC-124909	VFP-Firewall	Firewall automatically restarted.
NC-124519	WAF	Form-based authentication doesn't work after upgrade from 19.5.2 to 19.5.3.
NC-125102	WAF	WAF outage several times a day due to a coredump.
NC-130528	WAF	Missing WAF parameters in XML API.
NC-130684	WAF	Unable to update WAF rule after updating the certificate.
NC-130710	WAF	Can't upgrade to 20.0 if a rule template exists with the same name as a new template name.
NC-81555	Web	Removing all domains or keywords from a custom category doesn't work.
NC-124040	Web	Unable to get proper "Web activity category" report under "Blocked Web attempts".
NC-125115	Web	awarrenhttp doesn't start if nasm isn't running.
NC-127260	Web	Continuous coredumps are generated.
NC-128631	Web	Network outage when downloading files with .hpi extension.
NC-128520	Wireless	Unable to restore backup from XG 135w to XGS 2100.
NC-131591	Web	awarrenhttp must reconnect to nSXLD after a time-out.
NC-118893	WebInSnort	WebInSnort logs RSA key size 3072 as key_param="RSA unknown type" in Log viewer.

Version 20.0 GA Build 222

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-125331	Authentication	Azure AD SSO captive portal authentication is stuck when the web proxy listening port isn't 3128.
NC-125589	DHCP, DHCP PD	On-link and autonomous settings are turned off in automatically created RA server for delegated interface.
NC-125595	DHCP, DHCP PD	Incorrect error message when creating downstream interface with invalid subnet ID.
NC-124414	Email	SPX password exposure in plain text (CVE-2023-5552).
NC-125369	Email	Exim libspf2 vulnerability (CVE-2023-42118).
NC-125221	RED	RED doesn't establish site-to-site tunnels when RED server enforces TLS 1.2.
NC-119334	Backup-Restore	The backup download button is unresponsive.
NC-118460	Dynamic Routing (PIM)	Clicking PIM-SM interface table shows the error "Unable to read routing information".
NC-116220	Email	Awarrensmtp was in failed status, and inbound email wasn't delivered, but a non-delivery report wasn't sent to senders.
NC-117638	Email	Emails are quarantined even if the sender address is added in exception.
NC-124102	Email	Unable to turn off legacy TLS protocols.
NC-107708	Firewall	Firewall restarts automatically (RIP 0010muser_match+0x747).
NC-120016	Firewall	Local ACL doesn't work when the name contains the backslash character.
NC-113034	Hardware	Lost device access to XGS appliances, and logs aren't available.
NC-116002	IPsec, SDWAN Routing	Branch office users unable to receive an email, mail is slow, IPsec traffic is slow.
NC-122180	Licensing	Unable to access web admin console due to license synchronization issue.
NC-122699	nSXLd	Adding a trailing period at the end of the domain bypasses web policies.
NC-122511	RED	Vulnerability detected on port 3400.
NC-119192	VFP-Firewall	Slow speed using Virtio NICs.
NC-119052	WAF	WAF protection policy's display issue on the web admin console.
NC-121432	WAF	The /tmp directory doesn't remove files and runs out of space, causing AV scan failure.
NC-121415	Web	AVD stops responding after a pattern update because a thread isn't released.
NC-119829	WWAN	Verizon Mifi 4G USB modem (U620L) doesn't work after an upgrade to 19.5 MR2.
NC-114104	AppFilter Policy	Application filter policy set to block all applications loses risk criteria when the template is pushed from Sophos Central.
NC-107481	Authentication	Log viewer doesn't show the source IP address for authenticated SSL VPN users.
NC-110927	Authentication	Missing logs for MFA enable-disable events.
NC-113532	Authentication	Can't remove authorizers from the data anonymization setting.
NC-114057	Authentication	Match known users option in firewall rule drops traffic because user identity isn't being marked.
NC-114950	Authentication	View usage doesn't work when the username has a single quote, and web admin console stops responding.
NC-116602	Authentication	Log viewer doesn't show the source IP address when authentication fails for SSL VPN Users.
NC-116880	Authentication	When two-factor authentication is on, SSH keys disappear if they're added by an administrator other than the default admin.
NC-116881	Authentication	Uploading a certificate when the admin signs in through Azure AD SSO results in a sign-out.
NC-119049	Authentication	access_server stops responding due to missing nsgencode multi-thread support.
NC-119183	Authentication	Transaction failure for eDirectory authentication server.
NC-119560	Authentication	Mandatory firmware update through the setup assistant causes the initial setup to start repeatedly.
NC-94533	Certificates	Attribute challenge password prevents the issue of a certificate with No-IP.
NC-119825	Certificates	Unable to download the default certificate from Web > General Settings. Results in a sign-out when admin clicks the download button.
NC-102256	Clientless Access	VNCFreeRDP stops responding.
NC-108378	Clientless Access	Clientless access doesn't work if name contains an umlaut character.
NC-114627	Clientless Access	Unable to connect to RDP over clientless SSL VPN if the username contains a space.
NC-115982	CM	Alert appears in Sophos Central. "Firewall has not checked in with Sophos Central for the past 5 minutes".
NC-116312	CM	Garner thread stuck in Central Management plugin.
NC-118749	CM	Specific API call doesn't work.
NC-119198	CM	Unable to change the password for admin accounts from Sophos Central Firewall Management.
NC-120519	CM	Disable Central Management doesn't work per the firewall's API document.
NC-108562	Core Utils	Public key authentication for admin can't be managed through Sophos Central.
NC-117314	Core Utils	SWAP memory usage full.
NC-107388	DDNS	DDNS logs appear every five minutes.
NC-111790	DHCP	Unable to configure or edit interfaces.
NC-113102	DHCP	Unable to add static MAC entry for specific DHCP pool.
NC-109623	Dynamic Routing (BGP)	BGP-FRR doesn't advertise the configured networks if they aren't available in RIB.
NC-115369	Dynamic Routing (OSPF)	OSPF repeatedly flaps when running continuous scan with ICMP echo.
NC-112492	Dynamic Routing (PIM)	PIMD service doesn't respond.
NC-107283	Email	Awarrensmpt service doesn't respond.
NC-108237	Email	Spam emails are allowed with the error "spam scanning failed, unable to connect local antispam".
NC-108450	Email	Inbound forwarded emails with attachments aren't delivered because of malware scan failure.
NC-109625	Email	Inbound emails from specific domains are quarantined because of DKIM verification failure.
NC-110897	Email	Error logs when using Sophos as AV in web server protection policy.
NC-111023	Email	Legacy email mode stops responding frequently.
NC-112128	Email	Release link settings can't be saved in quarantine digest.
NC-113038	Email	Mail communication stopped working after upgrading to 19.5 GA.
NC-113458	Email	MIME type recognition issues when Zero-day protection is turned on.
NC-113547	Email	Invalid IP address causes error for notification mails.
NC-116845	Email	Fix occasional UT error in mailpoller.
NC-116899	Email	Attachment is allowed even if it's blocked in extension or MIME header.
NC-117881	Email	Antispam service stops responding.
NC-120138	Email	EmailUtilityis_valid_messageid is too strict.
NC-101846	Firewall	Connections fail due to a high number of www in FIN_WAIT.
NC-108536	Firewall	Firewall rules stopped working after backup-restore due to failure of XML API through which the firewall rules were created.
NC-109201	Firewall	Device goes into Failsafe mode after upgrade. Unable to apply firewall framework.
NC-112136	Firewall	RED connection interrupted when firewall acceleration is turned on in XG 310.
NC-116527	Firewall	Entities.xml shows a firewall rule that doesn't appear on the web admin console.
NC-116890	Firewall	NAT rule doesn't get marked after the firewall restarts.
NC-116939	Firewall	Pktcapd bpf filter causing device restart (___bpf_prog_run).
NC-117063	Firewall	Allowed child connection is logged as dropped.
NC-118204	Firewall, SDWAN Routing	Static multicast packet changes reply destination when SD-WAN policy is applied.
NC-85114	Firmware Management	kworker process continuously uses high CPU on XG 450.
NC-109689	FQDN	Adding a new FQDN host causes the resolver to restart or stop responding and causes DNS resolution failure during the time.
NC-111423	FQDN	FQDN resolving with low TTL (2-5 seconds) is creating an issue with wildcard FQDN host.
NC-111476	FQDN	Subdomain learning doesn't work for non-SFOS DNS server set for the client.
NC-117675	Gateway Management	WWAN gateway update flow updates incorrect monitorid when wwan-gwid isn't the same as its monitorid.
NC-109626	HA	Standalone device restarts. Too many open files.
NC-106738	Hotspot	Sort functionality doesn't work properly for hotspot vouchers in the user portal.
NC-119525	Hotspot	Valid until time on hotspot sign-in uses UTC instead of local system time.
NC-120118	Hotspot	Missing information in hotspot voucher created for users.
NC-116314	Interface Management	Unable to delete or make changes to bridge interface.
NC-98796	IPS-DAQ	Coredump during DAQ shutdown due to incorrect order of thread stop.
NC-107329	IPS-DAQ	Snort shows high CPU usage, resulting in low bandwidth.
NC-114872	IPS-DAQ	Certificate-based authentication failing for server with small RX win.
NC-115019	IPS-DAQ-NSE	Firewall locks up. Snort core generated.
NC-119321	IPS-DAQ-NSE	Slow download speed with SSL/TLS inspection turned on along with malware scanning even if TLS isn't being decrypted.
NC-107042	IPsec	IPsec VPN path MTU-related connection issues with IPsec acceleration.
NC-119047	IPsec	SSL/TLS inspection doesn't work for VPN users.
NC-119898	IPsec	XFRM tunnel remains disabled when both site-to-site and route-based VPNs are up simultaneously on the same local-remote gateway pair.
NC-114411	IPS Engine	IPS policy behavior issue in Sophos Central.
NC-116448	L2TP	A checkbox isn't visible on the first line for L2TP members.
NC-112138	Licensing	Licenses not synchronizing.
NC-107504	Logging Framework	Unable to update the pattern file at AirGap sites.
NC-107975	Logging Framework	Logging stops on device. Database disk image is malformed.
NC-110678	Logging Framework	Live logs aren't being generated in log viewer.
NC-113004	Logging Framework	Garner stops responding at init_cache_tree during sync cache.
NC-114652	Logging Framework (Central Reporting)	After 7200 files, sending files to Sophos Central stops with error on gzclose.
NC-108003	NFP-Firewall	Memory utilization increases until firewall stops responding.
NC-100418	nSXLd	Internet down with error "nSXLd Connection timeout while connecting to SXL server".
NC-115360	nSXLd	Deleted policy from Sophos Central continues to appear in the firewall.
NC-117753	PPPoE	Internet through PPPoE doesn't work after HA failover.
NC-112058	RED	Some reports for RED tunnel on XG Firewall don't load.
NC-112117	RED	Editing a RED configuration in XG Firewall caused the firewall to become unresponsive.
NC-112621	RED	Unable to edit some RED interfaces.
NC-113005	RED	RED tunnels restart suddenly.
NC-117243	RED	Disable DHE cipher support for RED.
NC-117786	Reporting	Security Audit Report score data in email differs from what's shown in the firewall.
NC-111110	SDWAN Routing	Import-export doesn't reflect changes in SD-WAN profiles.
NC-112722	SDWAN Routing	garner.log is flooded with continuous logs for cache failures.
NC-114075	SDWAN Routing	Connectivity issue when using route-based VPN with SD-WAN Routes or profiles.
NC-107178	SecurityHeartbeat	Improve license enforcement message for Synchronized Security.
NC-116531	SecurityHeartbeat	Can't access resources for some time when Security Heartbeat is configured.
NC-117680	SecurityHeartbeat	Ipset hb_green entry removed without cause.
NC-111441	SSLVPN	Remote access SSL VPN doesn't work after upgrade.
NC-112065	SSLVPN	When Azure AD is used as the authentication type, the Authentication > Services page goes into buffering.
NC-112211	SSLVPN	/conf/certificate/openvpn directory is missing.
NC-114163	SSLVPN	Connections from LAN to static SSL VPN IP address are routed through WAN on XGS.
NC-117669	Firewall	"Invalid TCP state" logs in HA appliances for traffic coming from the auxiliary device.
NC-120190	SSLVPN	Site-to-site SSL VPN connections fail due to the absence of serveruser.conf file.
NC-112370	Gateway Management	Error while updating failover rules in WAN link manager.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Form factors:
- SFOS 20.0 GA and MRs are available on all form factors.
- SFOS 20.0 GA and MRs will be the last firmware versions to support XG and SG Series hardware appliances.
FIPS: SFOS 20.0 MR1 and subsequent 20.0 maintenance versions are FIPS-compliant. For details, read Federal Information Processing Standard 140-3 (FIPS 140-3).
LINCE: Versions 20.0 MR1 and MR2 are LINCE-compliant. For details, read National Essential Security Certification (LINCE).

Important points to know before you upgrade to 20.0 MR1 and later versions

SSL VPN

Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:

SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1 and later versions. We recommend that you upgrade both firewalls to 20.0 MR1 and later versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels.
UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1 and later versions. We recommend that you migrate these to 20.0 MR1 and later versions. Alternatively, you can use site-to-site IPsec or RED tunnels.

End-of-life RED devices

Versions you can upgrade from

We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

See how to upgrade.

Upgrading firmware
Upgrade from	Upgrade to 20.0 MR3 Build 427	Upgrade to 20.0 MR2 Build 378	Upgrade to 20.0 MR1 Build 342	Upgrade to 20.0 GA Build 222
20.0 MR2 Build 378
20.0 MR1 Build 342
20.0 GA Build 222
19.5 MR4 Build 718
19.5 MR3 Build 652
19.5 MR2 Build 624
19.5 MR1 Build 278
19.5 GA Build 197
All 19.0 versions
All 18.5 versions

Indicates the same version or an earlier version. The table only shows upgrade information.

^* You can restore backups with or without FIPS turned on to a compatible Sophos Firewall version. For details, read Federal Information Processing Standard 140-3 (FIPS 140-3).

Sophos Central: You can schedule firmware upgrades from Sophos Central.

Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 20.0.x only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x doesn't support appliance certificates with this algorithm.)

Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. This is a change from the earlier behavior. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 20.0.x. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.

Backup-restore

Backups restored to 20.0 MR2 and later versions

You can restore backups to firewall models with fewer ports.

Backups from versions 19.5 MR4 and later: The backup-restore assistant appears when you restore backups from XG, SG running SFOS, and XGS to XGS Series, cloud, and virtual firewalls.
Backups from versions 19.5 MR3 and earlier: The backup-restore assistant doesn't appear, and the firewall automatically maps the interfaces.

Help links

See the help page Restore backups to 20.0 MR2 and later versions.
Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch the video Backup-restore enhancements.

Backups restored to 20.0 GA and MR1

The backup-restore assistant doesn't appear.
You can restore backups from SG, XG, XGS Series, cloud, and virtual appliances to any of these appliances.
You can't restore backups from larger models to desktop models. See Backup-restore compatibility check.

Supported platforms

Version 20.0

Sophos Firewall OS versions 20.0.x are available on all form factors as follows:

XGS Series firewalls
XG Series firewalls
SG Series firewalls
Virtual and software appliances
Cloud platforms

Additional information

SFOS 20.0 GA and MRs will be the last firmware versions to support XG and SG Series hardware appliances.
For all hardware lifecycle milestones, see Retirement calendar.
For more information about the supported firmware versions, licenses, and migration, see Firewall Licenses.

Supported firmware versions

20.0.x versions support the following firmware versions:

Wi-Fi firmware 11.0.021 and earlier
Sophos Connect:
- For Windows: Version 2.4 and earlier
  (Microsoft Entra ID SSO with the Sophos Connect client only applies to SFOS 21.5 and later versions.)
- For macOS: Version 1.4 MR-1 and earlier

RED firmware is supported as follows:

SFOS 20.0 MR3 and later: RED firmware versions 3.0.011 and earlier.
SFOS 20.0 MR2 and earlier: These SFOS versions only support RED firmware versions 3.0.010 and earlier. They don't support the later RED versions.

Support

You can find technical support for Sophos products in the following ways:

To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
Visit Sophos Support.

Legal notices

Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

The following versions are EOL: 20.0 GA and 20.0 MR1.

Version 20.0 MR3 Build 427 Released on December 12, 2024

New features

FIPS 140-3 certification

Remove the missing heartbeat status of endpoints

Resolved issues

Version 20.0 MR2 Build 378 Released on July 23, 2024

New features

New Backup-restore assistant

Other security and flexibility enhancements

Version 20.0 MR1 Build 342 Released on May 15, 2024

New features

Important points to know before you upgrade

SSL VPN compatibility for 20.0 MR1 and later with EoL SFOS versions and UTM9 OS

End-of-life RED devices

LINCE certification

Device access and Local service ACL exception rules

SD-WAN enhancements for scalability

VPN enhancements

SSL VPN

IPsec VPN

DHCP enhancements

Logging enhancements

True Zero Touch configuration

RED

Other enhancements

Version 20.0 GA Build 222 Released on November 06, 2023

New features

Active threat response

MDR threat feeds

Dynamic threat feeds

Network scalability and resiliency for distributed enterprises

VPN enhancements

IPv6 DHCP prefix delegation and BGP, SD-WAN

SASE and remote worker protection

Quality of life enhancements

Web Application Firewall (WAF)

Azure enhancements

Resolved issues

Version 20.0 MR3 Build 427

Version 20.0 MR2 Build 378

Version 20.0 MR1 Build 342

Version 20.0 GA Build 222

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Important points to know before you upgrade to 20.0 MR1 and later versions

SSL VPN

End-of-life RED devices

Versions you can upgrade from

Backup-restore

Backups restored to 20.0 MR2 and later versions

Help links

Backups restored to 20.0 GA and MR1

Supported platforms

Version 20.0

Additional information

Supported firmware versions

Support

Legal notices

Version 20.0 MR3 Build 427
Released on December 12, 2024

Version 20.0 MR2 Build 378
Released on July 23, 2024

Version 20.0 MR1 Build 342
Released on May 15, 2024

Version 20.0 GA Build 222
Released on November 06, 2023