Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 21.0 MR2 Build 349
Released on August 13, 2025

You can't upgrade to 21.5 GA from this version.

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

SFOS 21.0 GA and later versions don't support XG and SG Series hardware appliances.

OAuth 2.0 for email notifications

The firewall supports OAuth 2.0 as an additional authentication method for the email notifications it sends. We recommend that you move to OAuth 2.0 for Gmail. Gmail may stop supporting password-based authentication very soon.

Read Notification settings.

Active Directory integration

The firewall supports Windows Server 2025 for Active Directory SSO (NTLM and Kerberos) authentication.

RED

System hosts

RED system host objects now have the correct subnet mask of /32. You can see system host details in Hosts and services > IP host. Previously, when you created a RED interface, the system host was assigned the subnet mask you configured.

If you're using the RED system host for traffic other than a /32 subnet in configurations, such as firewall rules, the traffic won't match any longer. To resolve this, you must replace the RED system host with the correct IP host or network host in these dependent configurations.

Legacy site-to-site RED Early End-of-Life notification

The legacy RED site-to-site tunnels (Legacy firewall RED server and client configurations) won't be supported in SFOS 22.0 and later. We recommend that you migrate to the supported RED site-to-site or VPN tunnels.

Other enhancements

Live users

Data usage for live users is now shown using the standard unit formats (KB, MB, and GB) for enhanced usability.

SNMP

Improved RFC compliance in SNMP MIB files to enhance compatibility with third-party SNMP tools. The firewall supports the following RFCs for the MIB file:

SNMPv1: RFC 1157
SNMPv2: RFCs 1901, 1905, and 1906
SNMPv3: RFCs 3411 to 3418

VPN improvements

When you import groups from the Active Directory and Microsoft Entra ID authentication servers, L2TP and PPTP won't be turned on by default. You can turn them on in the groups or the corresponding VPN configurations.

High availability

Improved troubleshooting in HA environments. Enhanced the high availability log (ha.log) to include the node name and the current role information.

Version 21.0 MR1 Build 277
Released on March 31, 2025

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

SFOS 21.0 GA and later versions don't support XG and SG Series hardware appliances.

VPN

SSL VPN

Larger DH key sizes: SSL VPN now supports the key sizes 3072 and 4096 bits for the Diffie-Hellman key exchange to deliver enhanced communication security and meet compliance requirements.
Dead peer detection time-out: Granularity in dead peer detection's time-out setting for UDP-based SSL VPN tunnels offers enhanced resilience.

IPsec VPN

Improved stability in offloaded traffic related to policy-based IPsec VPNs eliminates slow browsing issues.

NAT64

The firewall forwards traffic initiated by IPv6-only clients to IPv4-only destinations in explicit web proxy mode, supporting the NAT64 scenario. In this mode, IPv6-only clients can access IPv4 websites. The firewall also supports IPv4 upstream proxy for IPv6-only clients.

Quality-of-life enhancements

This version offers some enhancements in networking, providing improved performance.

Cellular WAN: The firewall offers enhanced cellular WAN monitoring by automatically setting "8.8.8.8" as the second probe target. This addresses the issue of ISPs blocking gateway pings, reducing the need for manual configuration.

DHCP: DHCP service automatically restores itself from an error status, delivering higher resilience.

SD-RED: SD-RED devices now support remote troubleshooting and diagnostics by Sophos Support.

Version 21.0 MR1 Build 272 and Build 237
Released on March 12, 2025 and February 19, 2025

New features

These builds include all the new features that appear in 21.0 MR1 Build 277 and some of the later version's fixed issues.

We recommend that you upgrade to SFOS 21.0 MR1 Build 277 to get the benefit of all the fixed issues.

Version 21.0 GA Build 169
Released on October 17, 2024

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

SFOS 21.0 GA doesn't support XG and SG Series hardware appliances.

Active Threat Response with Third-party threat feeds

The firewall supports external threat feeds, making integration with third-party Security Operations Center (SOC) providers, MSPs, and industry-specific security consortiums easier.

Simple configuration: Third-party threat feeds allow you to add threat intelligence from external threat feed sources to block threats. You can add custom feeds and industry-specific feeds. See the help page Third-party threat feeds.
Automatic detection and action: The firewall automatically blocks or monitors any activity associated with the Indicators of Compromise (IoC) in the feed. It implements the action across all its security engines and doesn't require additional firewall rules.
Synchronized Security: With its automated response based on a red Security Heartbeat, Synchronized Security is extended to threat feeds.. This includes enforcement of any firewall rules that contain Heartbeat conditions. The firewall automatically queries any Sophos-managed endpoint attempting to communicate with malicious servers for additional information, such as the host, user, and process, which enables you to determine any Indicators of Compromise (IoC). It prevents compromised endpoints from moving laterally or communicating outward, shutting down active threats in the network.

Watch the video Third-party threat feeds.

Let's Encrypt^TM certificates

The firewall automatically obtains Let's Encrypt certificates based on your certificate signing requests (CSRs) for these certificates. It also automatically renews the certificates.

You can use Let's Encrypt certificates with the following features:

WAF
SMTP TLS configuration
Hotspot sign-in page
Web admin console
User, captive, VPN, and SPX portals.

See the help page Let's Encrypt certificate authority (CA).

Watch the video Sophos Firewall: Let's Encrypt.

New Gen.2 XGS Series desktop appliances

The new XGS Series desktop models XGS 88(w), 108(w), 118(w), and 128(w), and XGS 138 deliver higher performance, improved energy efficiency, high-speed connectivity options, and a streamlined architecture. The streamlined architecture is available in XGS 88(w) to 128(w) models. All models except the XGS 138 are available with optional built-in Wi-Fi 6, which supports concurrent dual-band use.

Accelerated performance: XGS 88(w), 108(w), 118(w), and 128(w) deliver up to double the throughput of Gen.1 models with Xstream virtual FastPath acceleration for IPsec VPN in 21.0 and later versions. The XGS 138 benefits from an overall throughput increase of 1.6 times versus the previous models.
Built-in high-speed connectivity: All Gen.2 models have 2.5 GE interfaces. XGS 138 has two built-in 10 GE SFP+ interfaces for high-speed fiber connectivity.
Concurrent dual-band Wi-Fi: The Gen.2 wireless models support Wi-Fi 6 (802.11ax) with concurrent use of the 2.4 GHz and 5 GHz bands for better performance.
Optional connectivity: The expansion bay can be equipped with an optional 5G module, providing a cost-effective connectivity option to support traffic peaks or add redundancy and failover, particularly for SD-WAN deployments.
Streamlined hardware architecture: XGS 88(w) to XGS 128(w) models have a new single-CPU architecture that uses the virtual FastPath built into SFOS for traffic acceleration. The XGS 138 maintains the dual-processor architecture with a dedicated Xstream Flow processor for hardware acceleration. As our gateway model to the distributed edge, it benefits from new high-speed connectivity options, resulting in 1.6 times the overall performance compared to the equivalent Gen.1 model.
Power and environment: The new models deliver up to 50 percent lower power consumption. The optimized thermal design for the XGS 118(w) and XGS 128(w) allows quieter operation, while the fanless XGS 88(w) and 108(w) models offer whisper-quiet 0 dBA operation for noise-sensitive environments. A redundant power option is available for the XGS 108(w) and above.

Gen.2 desktop models are available for delivery with 20.0 MR1, but you must upgrade to 20.0 MR2 and 21.0 GA to get the full benefits, such as IPsec VPN performance enhancements.

See the community post New XGS Series Desktop firewalls and SFOS v21.

Enhanced scalability and resilience

This version offers several enhancements in networking, providing improved performance and scalability.

High availability improvements

HA deployments offer additional resilience and smoother transitions, delivering reduced downtime.

Seamless failover of dynamic routes.
Significant improvement in SD-RED tunnel failover, enabling tunnels to reestablish within a few seconds of HA failover, reducing downtime.
Improved interactions with Active Directory domains when HA failover occurs.

Site-to-site IPsec VPN

This version delivers improved performance and additional ease in configuring and managing IPsec VPNs.

Optimized FQDN-based remote gateways have been optimized to improve scalability for distributed deployments.
This version supports DHCP relay over XFRM interfaces to DHCP servers deployed behind the firewall.
An increase of up to 20 times in XFRM interface up-time significantly minimizes disruption during tunnel flap and restart.
You can activate and deactivate more than one site-to-site IPsec VPN connection at the same time.
Automatic failback to the restored primary IPsec connection will be retried up to five times.

Watch the video Static route and VPN enhancements.

Authentication

Google Workspace: Supports Google Workspace integration through the LDAP client and Google Chromebook SSO.
Authentication: Performance for burst sign-ins has improved up to four times for RADIUS SSO, STAS, and Synchronized User ID. The enhancement enables the firewall to handle thousands of simultaneous sign-in requests in multiple SSO environments involving these authentication methods.
AD SSO: More transparent AD SSO experience when HSTS is enforced, enabling Kerberos and NTLM handshakes over HTTP or HTTPS.

Web

IPv6 to IPv4 using explicit proxy: The firewall enables IPv6-only clients to access IPv4 websites through explicit proxy.
Enhanced web protection: This version delivers enhanced Web Protection performance with reduced system load when enforcing SafeSearch, YouTube restrictions, Google App login domain restrictions, and Azure AD tenant restrictions.

Routing

Dynamic routing: A new option to redistribute BGP-IPv6 routes into the OSPFv3 routing table.

Reports database

SFOS 21.0 and later versions store reports in a separate, updated database. So, you must select a date range before or after the firmware upgrade date for the corresponding reports. See Reports behavior.

Quality-of-life enhancements

Static route management: You can clone static routes, turn them on or off, and add descriptions. The firewall offers a blackhole route option. It also supports Equal-Cost Multi-Path (ECMP) for load balancing.
Expanded object usage: This version offers additional visibility into the usage of the following network objects: interfaces, zones, gateways, and SD-WAN profiles. It also offers XML API support to retrieve object usage counts, delivering visibility into unused objects.
Site-to-site IPsec VPN: Option to activate and deactivate connections in bulk. It also provides improved filtering, covering the complete list across multiple pages. Filtering for XFRM interfaces is now available on the Interfaces page.
Interface listing: Interfaces are listed in alphabetical followed by numeric order based on their display name instead of the hardware name.
User experience enhancements:
- A fresh look for the web admin console with the latest Sophos design style guide matching that of Sophos Central.
- The Control center has been redesigned with new card views to enhance the visibility of important network events and data. An all-new Active threat response card consolidates threat information from MDR, Sophos X-Ops, and Third-party threat feeds into a single, easy-to-view section.
- Optimized VPN configurations with free text and value search for objects, such as network, subnet, and users in remote access and site-to-site VPN configuration lists.

Watch the video Quality of life enhancements.

New Backup-restore assistant

SFOS 21.0 GA includes backup-restore features first introduced in 20.0 MR2. These enhancements simplify firewall upgrades to the latest XGS Series firewalls. They also deliver additional flexibility.

The assistant is available for backups from 19.5 MR4 and later versions.

Wider model compatibility: The new Backup-restore assistant delivers flexibility, enabling you to restore firewall configurations to a different firewall model. You can move from a higher to a lower-capacity appliance model and restore existing backups. You can also restore backups from one platform to another for hardware appliances, cloud, virtual, and software firewalls.
Flexible interface mapping: The assistant supports port mapping, making upgrades to appliances with different port configurations easier. You can change the default interface mapping and map a physical interface to a different one, including higher-speed ports. You can also change the parent interfaces of VLAN and LAG interfaces.
High availability ports: You can restore HA backups to devices with fewer or more interfaces. The dedicated HA link can be on a different port in the target device. The enhancement eliminates the previous limitation, which required the target device to have the same number of interfaces and the same dedicated HA link port as the backup.

Backup-restore links

Use the tool to check whether you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch the video Backup-restore enhancements.
See the help page Backup-restore Assistant.

Resolved issues

Version 21.0 MR2 Build 349

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-158887	Authentication	Signing in to the web admin console with Microsoft Entra ID SSO didn't work in some browsers when the browser's minor version ended in a number other than zero.
NC-157450	Authentication	API export didn't include the static IP address configured in remote access IPsec VPN.
NC-157308	Authentication	Incorrect IP address assigned to remote access IPsec VPN clients after HA failover.
NC-154794	Authentication	Special character in admin user's password wasn't encoded when they signed in to the auxiliary device with OTP turned on.
NC-154639	Authentication	CSD service didn't run.
NC-153770	Authentication	RADIUS authorization failed if the domain wasn't configured.
NC-151205	Authentication	Captive portal sign-in page reappeared after the user signed in through Microsoft Entra ID SSO.
NC-148837	Authentication	"Set password for User Admin" on the CLI failed if the password contained double quotes or a backslash.
NC-144523	Authentication	User group wasn't visible on the web admin console, but was available in the database.
NC-147708	Backup-Restore	During the restoration of a backup from SG 125 to XGS 108, an error related to pseudo ports appeared, preventing the backup from being restored.
NC-147793	Clientless Access	Pattern update for SSL VPN failed.
NC-148839	CM, Reporting	Generative AI report showed no data.
NC-151752	CM	Multiple firewalls showed the following log viewer entry: "Failed to send firewall information from device to CM".
NC-154362	CM	Virtual firewall was automatically deregistered.
NC-157309	CM	fcwm-updated.log showed customer's admin password in clear text.
NC-160962	CM	Garner and fwcm-heartbeatd services stopped.
NC-151472	Dynamic Routing (RIP)	RIP with MD5 authentication wasn't RFC-compliant after an upgrade to 20.0 GA and 21.0 GA.
NC-144681	Email	Anti-spam service didn't respond.
NC-140439	Email	Japanese subject line was corrupted in quarantine digest email.
NC-153065	Email	Mail flow stopped.
NC-152641	Firmware Management	After upgrading to 21.0 MR1 Build 237, the firewall stopped processing traffic because of SWAP memory configuration changes.
NC-149039	HA	HA status flapped and crash dump occurred when two interfaces were used as the dedicated link.
NC-147307	HA	In XGS 2300, HA failover caused a restart loop for the devices.
NC-132291	HA	Couldn't upload firmware to the passive HA device.
NC-151757	Hardware	XGS 108 2.5G ports didn't flash amber LED.
NC-153049	IPS Ruleset Management	IPS signature was missing in the default IPS policies.
NC-149918	IPsec	Alerts were generated for the auxiliary HA device in Sophos Central that IPsec tunnel was terminated even though traffic wasn't impacted.
NC-147593	IPsec	After a restart, the IPsec tunnel didn't come up, and the failover group needed to be turned on and off.
NC-154660	IPsec	Couldn't initiate IPsec connection. Strongswan was in busy status.
NC-142006	Logging, Reporting	Log viewer filter didn't give the expected output when the following time filter was selected: "Last 10 Minutes".
NC-148674	Logging Framework	/var alerts weren't removed from the Control center.
NC-143913	Logging Framework	Spikes in system graph values appeared in the auxiliary device.
NC-135594	Logging Framework	Garner syslog fd corruption caused data to be sent to the wrong fd.
NC-157663	Logging Framework	Firewall stopped logging reports after a firmware upgrade from 20.0 MR3 to 21.0 MR1.
NC-146826	RED	RED system host object had the incorrect subnet mask /24 instead of /32. If you're using the RED system host for traffic other than a /32 subnet in configurations, such as firewall rules, the traffic won't match. If you face this issue, change the dependent configuration.
NC-143033	RED	XGS 126 automatically restarted and resulted in HA failover.
NC-147935	Reporting	Couldn't generate custom reports for the timestamp before the firmware upgrade.
NC-157194	SDWAN Routing	Reply packet for system-destined traffic matched an SD-WAN route, even though reply packets were turned off in SD-WAN routes on the CLI.
NC-145975	SecurityHeartbeat	XGS 87 had an out-of-memory kernel panic with a memory leak in heartbeatd.
NC-148675	SNMP	Some OIDs didn't work in the VPN tree.
NC-149642	SSLVPN	Couldn't download the SSL VPN configuration file from the VPN portal.
NC-152342	Synchronized App Control	Primary device lost its registration to Sophos Central, and HA wasn't established.
NC-141078	Up2Date Client	Couldn't download the SSL VPN configuration file from the VPN portal after firmware upgrade.
NC-152859	VFP-Firewall	Egress IPsec offload on VFP corrupted the packet when the source interface was VLAN.
NC-143421	WebInSnort	Couldn't access some websites intermittently with DPI and SSL/TLS inspection in virtual HA deployment.
NC-152907	WebInSnort	IPS service became unavailable after an upgrade to 20.0 MR3.
NC-148937	WAF	Couldn't create a Let's Encrypt certificate.
NC-152022	WAF	Lets Encrypt certificate request didn't work because the automatic firewall rule was missing.
NC-152608	WAF	Website hosted on WAF behaved incorrectly when cookie signing was turned on.
NC-152540	WAF	WAF rule was automatically turned on and off continually.
NC-156694	WAF	WAF alert showed up on the Control center for an older rule that no longer existed.
NC-156668	WAF	Let's Encrypt certificate wasn't created. WAF restart failed.
NC-153394	WWAN	A large number of syslog-ng zombie processes occurred and were increasing.

Version 21.0 MR1 Build 277

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-153892	PPPoE	PPPoE interface may not connect if it has the special character "#" in the username.
NC-138431	Authentication	MFA tokens weren't working for SSL VPN users after a firmware upgrade to 20.0 MR1.
NC-141413	Authentication	Authentication service stopped responding because of "read_from_client" issues.
NC-144562	Authentication	Unable to add users to the MFA setting after a certain limit. Error appeared on the web admin console.
NC-139323	Certificates	IPS service failed after upgrading to 20.0 MR1.
NC-135473	Clientless Access	Unable to download the configuration file from VPN portal after HA failover with specific conditions.
NC-141997	Clientless Access	Vulnerabilities found in the scan for VPN portal.
NC-147793	VPN	Pattern update failure for SSL VPN.
NC-133133	CM	Group configuration import in Sophos Central management failed from XG 86w firewall.
NC-135944	CM, CM (Join to Cloud)	Unable to access or manage the firewall from Sophos Central.
NC-140829	CM	Intermittent issues with internet connectivity because Garner main thread was blocked during Sophos Central plugin reconfiguration.
NC-144699	CM	FRP-SSO failed when a firewall was deregistered from a Sophos Central account and registered to a different account.
NC-137123	Core Utils	Low swap memory in a device migrated from 17.5 involving a virtual deployment with two disks.
NC-138159	Core Utils	Command failure wasn't handled in HA migration.
NC-143615	Core Utils	USB keyboard didn't work on the CLI in 20.0 MR2 deployed on third-party hardware.
NC-135421	CSC	Firewall rules stopped working after a power failure.
NC-135613	DDNS	DDNS didn't show data on the web admin console.
NC-136462	DHCP	DHCP service was unresponsive for a valid domain entry in Next-Server.
NC-137870	DHCP	Backup-restore failed for DoS rules because system interface mapping failed.
NC-133859	Email	DKIM signatures didn't work as expected. Emails were quarantined.
NC-133988	Email	Entries for rejected mail weren't logged because of the message size.
NC-134038	Email	Emails bounced or weren't delivered when the subject contained "&" with SPX turned on.
NC-141753	Email	Quarantined digest email's subject showed an incorrect "From" date.
NC-152919	Email	Unable to release quarantine emails from the user portal.
NC-123910	Firewall	Kernel panic in FTP over HTTP scenario.
NC-131411	Firewall	Forwarded traffic didn't work randomly for connections through SATC.
NC-137779	Firewall	User accounting was done for traffic going through a network rule.
NC-152641	Base	The firewall stopped processing traffic due to SWAP memory configuration changes after it was upgraded to 21.0 MR1 Build 237.
NC-123807	Gateway Management	Kernel crash dump occurred in a firewall with SFOS 20.0 GA.
NC-100951	HA	Gateway status of an interface configured with dynamic IP assignment was, occasionally, not in sync in an active-passive auxiliary device after HA failover.
NC-137215	HA	TCP traffic didn't work in active-active HA mode with XFRM deployment.
NC-144474	Interface Management	Physical interfaces and expanded logical interfaces weren't visible after upgrading to 21.0 GA.
NC-140591	IPS-DAQ-NSE	An AWS website didn't work randomly. Log viewer showed the following error: "TLS handshake fatal alert: decode error(50)".
NC-140666	IPS-DAQ-NSE	Unable to connect Office365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1.
NC-138180	IPsec	Auxiliary device was receiving NAT-T IPsec packets on rekeying after an upgrade to 20.0 MR1.
NC-138822	IPsec	XFRM interface status appeared as "Not configured" even when the IPsec tunnel was established.
NC-143095	IPsec	Unable to download IPsec iOS profile from the VPN portal.
NC-146469	IPS Engine	IPS optimization issue with the number of cores after migration to a different appliance.
NC-143051	Logging Framework	Sophos Firewall appliances stopped sending logs to Graylog syslog server.
NC-146431	MDR Framework	MDR threat feeds showed that the requirements weren't met even though they were.
NC-139922	NFP-Firewall	Mismatched interfaces when IPsec acceleration was turned on.
NC-144311	NFP-Firewall, USFP	Malformed or specifically crafted inner decrypted L3 payload may result in an unresponsive NPU.
NC-141503	Postgres	IPS stopped responding. Unable to restart it because postgres connections exceeded the limit.
NC-137106	QoS	QoS download speed wasn't restricted for SSL VPN users.
NC-136900	RED	Fixed the RED APU file removal and creation on the auxiliary device after this device restarted.
NC-144581	RED	Offline-provisioned RED became non-functional after a RED firmware upgrade.
NC-146114	RED	Primary device automatically restarted and failed over to the auxiliary device after an upgrade to 21.0 GA.
NC-138286	Reporting	Custom view wasn't listed in the custom report when accessing the firewall from Sophos Central.
NC-128242	SDWAN Routing	TFTP traffic didn't flow as expected with an SD-WAN profile.
NC-130534	SDWAN Routing	Web pages timed out with web proxy when MAC address-based SD-WAN rules were used.
NC-137341	SDWAN Routing	The iptable entries of SD-WAN routes disappeared.
NC-141637	Security Heartbeat	Devices were blocked despite green health and no missing heartbeat alert in Sophos Central.
NC-142435	Sentry framework	Snort, garner, and access server processes weren't terminated properly because the process was stuck in GenerateDump.
NC-139458	SSL VPN	Services page and SSL VPN Assistant weren't loading.
NC-139849	SSL VPN	Discrepancies in the site-to-site SSL VPN import validation.
NC-142397	SSL VPN	Out of memory issue. SSL VPN caused the /tmp partition to fill up.
NC-145261	SSL VPN	Incorrect count appeared on the dashboard for connected remote users in 21.0 GA.
NC-144955	Static Routing	Static route remained on the auxiliary device after enabling HA.
NC-122478	UI Framework	Web policy automatically scrolled, leading to a misplaced dialog box.
NC-141688	UI Framework	Need to support automatic language detection for users with SSO sign-in.
NC-151389	UI Framework	Hotspot voucher didn't load on the user portal.
NC-135798	WAF	Set Cache-Control to no-cache, no-store for WAF.
NC-140403	WAF	Pop-up appeared when you opened a WAF rule and clicked the cancel button without any modification to the rule.
NC-140550	WAF	When WAF was used, floating HTML with the cart content didn't appear after items were added to it.
NC-142170	WAF	Fixed how the firewall handles deleted and disabled interfaces referred to in Let's Encrypt certificates.
NC-144659	WAF	Let's Encrypt service showed a busy status in 21.0 GA.
NC-152963	Firewall	With Let's Encrypt turned on, firewall rule positions were altered, affecting the firewall rules that match the traffic.
NC-136403	Web	Web policy override must tell the browser not to autofill bypass codes.
NC-136616	Web	AD SSO didn't work with Kerberos for a specific server and user.
NC-140864	Web	The "Missing template" error appeared instead of the Sophos block page.
NC-141088	Web	The Restrict-Access-To-Tenants setting has a character limit of 256.
NC-142515	Web	Content filter blocking didn't work with Facebook search. It worked with other websites.
NC-136099	WebInSnort	SSL/TLS inspection rules containing only unsupported services behaved like Service was set to Any.
NC-140491	WWAN	Modem didn't connect after an upgrade to SFOS 21.0 EAP0 in XGS 116.
NC-142427	WWAN	Huawei Modem (4G dongle) didn't connect to the firewall after an upgrade to 20.0 MR2.

Version 21.0 GA Build 169

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-77828	API Framework	Unable to import user activity that contains categories with special characters.
NC-140410	ATR Framework	Incorrect label for third-party threat feed widget on Control center.
NC-140436	ATR Framework	The Heartbeat endpoint switched to "Red" status even when threat feed is in monitoring, that is, log mode.
NC-140906	ATR Framework	Added hover text for the icons on the Active threat response dashboard window and fixed smudging in the Active threat response table.
NC-141545	ATR Framework	Updated the Active threat response third-party feeds' URL to allow a port number.
NC-124684	Authentication	Static IP address is sporadically not released.
NC-127830	Authentication	RADIUS user who isn't part of VPN group can still connect to SSL VPN.
NC-128138	Authentication	Captive portal with custom code isn't working properly.
NC-131097	Authentication	Upon AD server connectivity, ldap_bind call times out after 30 minutes, causing new authentication requests to fail.
NC-131391	Authentication	L2TP authentication isn't working with Windows Automatic Logon enabled in VPN adapter.
NC-131711	Authentication	TSSO_client_netsend: sending data to server log message shows Error instead of Debug.
NC-132907	Authentication	Access Server coredump in read_from_sock (server.c:379).
NC-136193	Authentication	Updated the tooltip for groups on Authentication > Users.
NC-139018	Authentication	Access-request packets attack vulnerability associated with CVE-2024-3596.
NC-127665	CDB-CFR, CM	Firewall shows disconnected status on Sophos Central after the firewall is restarted.
NC-132127	CDB-CFR, CM	Receiving alerts that the firewall has lost connection to Sophos Central from the auxiliary device.
NC-136645	Certificates	Certificates from Starfield Secure Certificate Authority - G2 aren't trusted in 20.0 MR1.
NC-127253	Clientless Access (VPN Portal)	HTTP Host header injection.
NC-141686	Clientless Access	Remove the VPN portal notification.
NC-128159	CM	SFOS applications don't work when the first two configured DNS servers aren't reachable.
NC-129249	CM, Core Utils	Fix vulnerabilities in libssh2 CVE-2023-48795.
NC-132845	CSC	Username is blank in Log viewer after deleting a user in virtual firewall.
NC-126965	DHCP	Firewall stops logging DHCP logs and Garner service is stuck and can't be restarted.
NC-129171	DHCP	DHCP stopped working after an upgrade from 19.5.3 to 20.0 GA.
NC-130879	DHCP	Follow up of NC-106814: Issue with DHCP relay.
NC-136246	DHCP	Hotfix: DHCP server is unavailable when Boot options are configured with URL.
NC-118624	Dynamic Routing (BGP), HA	BGP service crashes with write error on fd <nn>: Bad file descriptor.
NC-121980	Email	Duplicate email issue.
NC-123889	Email	High CPU usage by warren after upgrade to 19.5 MR3.
NC-124266	Email	Smarthost with RED tunnel setup. Notification emails get stuck in mail spool.
NC-125084	Email	DKIM isn't working as expected.
NC-126576	Email	Greylisting isn't working.
NC-128229	Email	Enabling SPF check isn't an option to block internal domain-spoofed emails.
NC-130236	Email	Emails with `\n` in the subject line are categorized as bulk mail by the spam engine.
NC-131106	Email	Inbound mail isn't delivered to the mailbox when SMTP scanning is on in legacy mode.
NC-132557	Email	HA synchronization issue in email encryption SPX template.
NC-133157	Email	Can't send backups using Amazon SES.
NC-123538	Firewall	MAC filter spoof check doesn't work.
NC-124012	Firewall	NAT rule isn't marked even after an update to 19.5 MR3.
NC-124251	Firewall	RED service is unavailable.
NC-124551	Firewall	Firewall rules aren't working after an upgrade from 18.5.3 to 19.5.3.
NC-134783	Firewall	Unable to see the IP host or MAC host in the firewall.
NC-136153	Firewall	Local ACL exception rule doesn't work for SMTP relay.
NC-120434	Firmware Management	Discrepancy in HA roles being shown.
NC-127503	Firmware Management	Restrict parallel firmware upgrade flows.
NC-131100	Firmware Management	SNMP server shows 100 percent critical `/tmp/npu_diag`.
NC-132224	Firmware Management	Upgrade to 20.0 fails on XGS 87 due to 'invalid firmware' error.
NC-132862	Firmware Management	SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795).
NC-118929	HA	HA doesn't work after a failover. msyncd stops tracking events and doesn't start again.
NC-124105	HA	Configuration changes on firewall show the error The Operation will take time to complete. The status can be viewed from the 'Log viewer' page".
NC-130404	HA	License issue on auxiliary device in active-passive HA cluster.
NC-135054	Hotspot	Problem with expired certificate in hotspot.
NC-122885	Import-Export Framework	Unable to export user configuration.
NC-124721	Interface Management	Firewall becomes unavailable and requires a restart.
NC-132542	IPS-DAQ	Memory allocation failure in jumbogram causes IPS log to increase in GB.
NC-125294	IPS-DAQ-NSE	Firewall drops reset packet in LAN-to-LAN communication when DPI is on.
NC-130017	IPS-DAQ-NSE	Client-server traffic dropped without ac_atp exception due to missing support for TCP keepalive on decrypted TLS.
NC-130365	IPS-DAQ-NSE	Slower TLS inspected download speed from some servers.
NC-128350	IPsec	Connection can't be established through IPsec remote access VPN using the Sophos Connect client.
NC-136651	IPsec	Charon high CPU for IPSec passthrough traffic.
NC-127177	IPS Engine	IPS logs aren't generated in Log viewer.
NC-141315	IPS Ruleset Management	Check /content for space availability before migration to 21.0.
NC-129242	Logging Framework	Notification plugin reconfiguration failure causes crash in fca_output.
NC-136693	Logging Framework	Bandwidth utilization of interfaces isn't shown on Control center.
NC-133375	Logging Framework, Central Reporting	Garner doesn't send the date to Sophos Central.
NC-125112	NFP-Firewall	RED tunnel becomes unavailable with firewall acceleration on in SFOS 19.5.3.
NC-128941	NFP-Firewall	IPsec tunnel stops carrying traffic when ipsec-acceleration is on.
NC-128656	nSXLd	nSXLD times out when the first two DNS servers configured aren't reachable.
NC-115843	PPPoE	Scheduled PPPoE reconnect doesn't work.
NC-128072	PPPoE	PPPoE message missing formatter mapping in Garner.
NC-127663	RED	When trying to add or remove a RED interface on a bridge, SFOS kernel dumps.
NC-130949	RED	Some RED devices became unavailable after downgrading the firewall firmware from 20.0 to 19.5.3.
NC-128539	Reporting	Unable to start on-box reporting after migration to 20.0 GA.
NC-141850	Reporting	Local reporting doesn't work after firmware upgrade. Reporting dB is available.
NC-126363	SDWAN Routing	Firewall rule sporadically doesn't report matching traffic.
NC-127524	SDWAN Routing	SD-WAN route and default MASQ gets applied on system generated traffic.
NC-129618	Security Heartbeat	Heartbeat service unavailable due to malformed MAC address.
NC-137333	Service Object	Missing services entries on the web admin console after changes were made.
NC-128468	SSL VPN	Unable to generate OVPN file due to missing server_dn in the tblsslvpnglobalconf when custom certificate is used.
NC-128469	SSL VPN	Unable to download the SSL VPN configuration from the user portal for certain AD users.
NC-130692	SSL VPN	Special characters are replaced with encoded values in 20.0 and later versions.
NC-130938	SSL VPN	More certificates in the OVPN file than before upgrade.
NC-131180	SSL VPN	SSL VPN remote access resources become inaccessible.
NC-132821	Static Routing	`Staticd` service stops after the firewall is upgraded to 19.5 MR4.
NC-126694	SupportAccess	Support access doesn't work after the firewall restarts.
NC-118925	UI Framework	Unable to restore backup if the backup file name has the & character in the prefix.
NC-124188	UI Framework	HTTP Host header injection in the user portal.
NC-131365	UI Framework	DNS server IP address in DHCP server configuration changes unexpectedly in the web admin console at times.
NC-141325	Up2Date Client	Savi/Avira pattern file didn't clean up after pattern installation, resulting in less space in content partition.
NC-124909	VFP-Firewall	Firewall restarts automatically.
NC-130528	WAF	Missing parameters in the XML API.
NC-130684	WAF	Unable to update WAF rule after updating the certificate.
NC-131782	WAF	After a second failover, the GeoIP settings in WAF rules are lost.
NC-136062	WAF	Migration failed due to duplicate WAF rule names.
NC-140442	WAF	Let's Encrypt couldn't generate a certificate without WAF subscription.
NC-140569	WAF	Firewall goes into failsafe mode.
NC-140619	WAF	Unable to generate Let's Encrypt certificates.
NC-140663	WAF	Invalid Let's Encrypt configuration leads to the reverse proxy restarting all the time.
NC-141062	WAF	ACME server can't issue a certificate for an IP address.
NC-141083	WAF	Performance issues caused by Let's Encrypt.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Form factors:
- SFOS 21.0 GA and later versions are available on all form factors.
- SFOS 21.0 GA and later versions don't support XG and SG Series hardware appliances.
LINCE: Versions 20.0 MR1 and MR2 are LINCE-compliant. For details, see the help page National Essential Security Certification (LINCE).

Important points to know before you upgrade to 21.0 MR2

Interface names

In SFOS 21.0 GA and later versions, if any physical or logical interface has a name, hardware name, or branch name that ends in 10 or more numbers, you can't see the physical interfaces or expand them to see the logical interfaces on Network > Interfaces. For example, VLAN_1234567890. The functionality of the interfaces is not affected, and traffic is processed as usual. The issue only affects the web admin console.

Before you upgrade, make sure none of the firewall interfaces have names that end with 10 or more numbers. For more information, read the knowledgebase article Physical interfaces or expansion of logical interfaces in SFOS v21 not visible.

SSL VPN

Firewalls upgraded to 21.0 GA and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:

SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 (and earlier versions) and SFOS 21.0 GA (and later versions). We recommend that you upgrade both firewalls to 21.0 GA, 21.0 MR1, 21.0 MR2, or 20.0 MR1 and later maintenance versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels.
UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 21.0 GA and later versions. We recommend that you migrate these to 21.0 GA, 21.0 MR1, 21.0 MR2, or 20.0 MR1 and later maintenance versions. Alternatively, you can use site-to-site IPsec or RED tunnels.

End-of-life RED devices

21.0 GA and later versions don't support the following legacy RED devices: RED 15, 15w, and 50. They were declared end-of-life in 2023. For details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.

Compatible versions for firmware upgrade and backup-restore

We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

You can only restore backups from versions for which configuration migration is supported.

You can migrate the configuration from all earlier versions to 21.0 MR2.

See How to upgrade.
See XG to XGS migration.

Upgrading firmware
Upgrade from	Upgrade to 21.0 MR2 Build 349	Upgrade to 21.0 MR1 Build 277	Upgrade to 21.0 MR1 Build 272	Upgrade to 21.0 MR1 Build 237	Upgrade to 21.0 GA Build 169
21.0 MR1 Build 277
21.0 MR1 Build 272
21.0 MR1 Build 237
21.0 GA Build 169
20.0 MR3 Build 427
20.0 MR2 Build 378
20.0 MR1 Build 342
20.0 GA Build 222
19.5 MR4 Build 718
19.5 MR3 Build 652
19.5 MR2 Build 624
19.5 MR1 Build 278
19.5 GA Build 197
All 19.0 versions
All 18.5 versions

Indicates the same version or an earlier version. The table only shows upgrade information.

Sophos Central: You can schedule firmware upgrades from Sophos Central.

Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 21.0 GA only if you've regenerated the appliance certificate at least once on SFOS. The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x and later versions don't support appliance certificates with this algorithm.

Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 21.0 GA. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.

Backup-restore

Backups restored to 21.0 GA, MR1, and MR2

You can restore backups to firewall models with fewer ports.

Backups from versions 19.5 MR4 and later: The backup-restore assistant appears when you restore backups from XG, SG running SFOS, XGS to XGS Series firewalls, and cloud and virtual firewalls.
Backups from versions 19.5 MR3 and earlier: The backup-restore assistant doesn't appear, and the firewall automatically maps the interfaces.

Help links

See the help page Backup-restore Assistant.
Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch the video Backup-restore enhancements.
To restore backups from Gen.1 to Gen.2 Wi-Fi desktop models, see Wireless models on the help page Key interface mapping concepts.

Supported platforms

Version 21.0

Sophos Firewall OS version 21.0.x is available on the following form factors:

XGS Series firewalls
Virtual and software appliances
Cloud platforms

Additional information

SFOS 21.0 GA and later versions don't support XG and SG Series hardware appliances.
For all hardware lifecycle milestones, see Retirement calendar.
For more information about the supported firmware versions, licenses, and migration, see Firewall Licenses.

Supported firmware versions

Version 21.0.x supports the following firmware versions:

Wi-Fi firmware 11.0.021 and earlier
RED firmware 3.0.011 and earlier
Sophos Connect:
- For Windows: Version 2.5 and earlier
  (Microsoft Entra ID SSO with the Sophos Connect client only applies to SFOS 21.5 and later versions.)
- For macOS: Version 1.4 MR-1 and earlier

Support

You can find technical support for Sophos products in the following ways:

To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
Visit Sophos Support.

Legal notices

Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

Version 21.0 MR2 Build 349 Released on August 13, 2025

You can't upgrade to 21.5 GA from this version.

New features

OAuth 2.0 for email notifications

Active Directory integration

RED

System hosts

Legacy site-to-site RED Early End-of-Life notification

Other enhancements

Live users

SNMP

VPN improvements

High availability

Version 21.0 MR1 Build 277 Released on March 31, 2025

New features

VPN

SSL VPN

IPsec VPN

NAT64

Quality-of-life enhancements

Version 21.0 MR1 Build 272 and Build 237 Released on March 12, 2025 and February 19, 2025

New features

Version 21.0 GA Build 169 Released on October 17, 2024

New features

Active Threat Response with Third-party threat feeds

Let's EncryptTM certificates

New Gen.2 XGS Series desktop appliances

Enhanced scalability and resilience

High availability improvements

Site-to-site IPsec VPN

Authentication

Web

Routing

Reports database

Quality-of-life enhancements

New Backup-restore assistant

Resolved issues

Version 21.0 MR2 Build 349

Version 21.0 MR1 Build 277

Version 21.0 GA Build 169

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Important points to know before you upgrade to 21.0 MR2

Interface names

SSL VPN

End-of-life RED devices

Compatible versions for firmware upgrade and backup-restore

Backup-restore

Backups restored to 21.0 GA, MR1, and MR2

Help links

Supported platforms

Version 21.0

Additional information

Supported firmware versions

Support

Legal notices

Version 21.0 MR2 Build 349
Released on August 13, 2025

Version 21.0 MR1 Build 277
Released on March 31, 2025

Version 21.0 MR1 Build 272 and Build 237
Released on March 12, 2025 and February 19, 2025

Version 21.0 GA Build 169
Released on October 17, 2024

Let's Encrypt^TM certificates