Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 21.5 GA Build 171
Released on June 02, 2025

New features

This page describes the new features introduced in this release. For more information, see the Sophos Firewall help.

SFOS 21.0 GA and later versions, including SFOS 21.5 GA, do not support XG and SG Series hardware appliances.

NDR Essentials

Sophos NDR Essentials is now integrated with Sophos Firewall, offering a new layer of threat protection under Active threat response. It analyzes traffic flows using cloud-hosted NDR Machine Learning, offloading heavy processing to the cloud.

NDR Essentials inspects traffic using the following engines:

Encrypted Payload Analysis: Analyzes encrypted payloads without requiring TLS decryption.
Domain Generation Algorithm: The ML-powered engine detects newly discovered active adversaries.

The detection triggers logs, alerts, and notifications based on thresholds that you specify.

The feature is currently available as part of the Xstream Protection bundle for XGS Series firewalls only.

See the following resources:

Read NDR Essentials.
Watch NDR Essentials for Sophos Firewall.

Microsoft Entra ID SSO for the Sophos Connect client and VPN portal

Users can establish remote access IPsec and SSL VPN tunnels using their network credentials.

Integration with Microsoft Entra ID (Azure AD) Single Sign-On (SSO) now extends to the Sophos Connect client and VPN portal.
It provides cloud-native Active Directory integration over the industry standard OAuth 2.0 and OpenID Connect protocols for a seamless SSO experience.
This feature is available with Sophos Connect client 2.4 and later versions on Microsoft Windows.

See the following resources:

DNS Protection

Sophos DNS Protection was previously integrated with Sophos Firewall. The service protects against malicious domains and risky DNS activities across your network.

This release provides the following enhancements:

A new Control center widget to show the DNS Protection status.
Enhanced troubleshooting insights through logs, notification emails, and the current status to more easily identify issues.
Sophos Assistant now provides guided steps to configure Sophos DNS Protection.

This feature is included in the Xstream Protection bundle.

See the following resources:

Read DNS Protection.
Watch DNS Protection.

VPN and scalability

This version offers important enhancements to VPN connections and scalability.

Site-to-site IPsec VPN: IPsec connection type options have been renamed to make them more intuitive.
- "Site-to-site" has been renamed to "Policy-based".
- "Tunnel interface" has been renamed to "Route-based (Tunnel interface)".
IP lease pool validation for remote access VPN: The firewall validates the leased pool of IP addresses in SSL VPN, IPsec, L2TP, and PPTP remote access VPNs, eliminating potential IP address conflicts across these types of VPN.
IPsec profile selection: The "Use strict profile" field in IPsec profiles excludes default values, ensures a successful handshake, eliminates packet fragmentation, and minimizes tunnel establishment issues.
Route-based IPsec VPN scalability: The firewall's route-based VPN capacity has been doubled with support for up to 3,000 tunnels.
SD-RED scalability: Sophos Firewall devices now support up to 1,000 site-to-site RED tunnels and 650 SD-RED devices.

Streamlined management and quality-of-life enhancements

This version offers multiple quality-of-life enhancements to simplify and improve firewall management.

Resizable table columns: Many features, including SD-WAN routes and profiles, NAT rules, SSL/TLS inspection rules, Hosts and services, and Site-to-site IPsec VPN, support resizable table columns. Column sizes are retained in the browser memory for the administrator's subsequent visits to the web admin console.
Extended free text search: SD-WAN routes now offer a search capability using the route name, ID, objects, and object values, such as IP addresses, domains, and other criteria. Local ACL exception rules support search using the object name and value. This also includes content-based search.
New Inter Font: The firewall has introduced a sharper, clearer text experience with a modern and consistent user interface across platforms. The font is lightweight, reducing the asset size and API calls by up to 50 percent.
Default firewall rules: The default firewall rules and rule group created when setting up a new firewall have been removed. Only the default network rule and MTA rule remain in new deployments. The default firewall rule group is now set to None.
Default gateway configuration: Default gateway probing for custom gateways is now set to None.

Watch Quality-of-life enhancements.

Other enhancements

This version offers other important enhancements.

Virtual, software, cloud licensing and Home edition: Removed the RAM restrictions on Sophos Firewall virtual, software, Cloud BYOL and Firewall Home edition licenses. All new and existing instances of Sophos Firewall no longer have RAM restrictions as part of their license and are now restricted only by the CPU core count.
Larger file size limit in WAF: Web Application Firewall supports a configurable request (upload) file size limit and can scan file sizes up to 1 GB.
Secure by Design: In our efforts to continually improve the security of Sophos Firewall, this release adds real-time telemetry gathering, using secure hash validation to flag unexpected changes to core OS files. This will enable our monitoring teams to proactively identify potential security incidents before they become a problem.
DHCP prefix delegation relaxation: DHCP PD now supports /48 to /64 prefixes, improving interoperability with ISPs. In addition, Router Advertisements (RA) and the DHCPv6 server are turned on by default.
Path MTU discovery: This feature resolves TLS decryption errors caused by the latest ML-KEM (Kyber) key exchange supported in browsers. The firewall's deep packet inspection engine automatically detects and adjusts the MTU for each flow, ensuring optimal performance based on specific network conditions.
NAT64 support: The firewall supports NAT64 for IPv6 to IPv4 traffic in explicit proxy mode. In this mode, IPv6-only clients can access IPv4 websites. The firewall also supports IPv4 upstream proxy for IPv6-only clients.

Version 21.0

For information about the previous version, see 21.0 release notes.

Resolved issues

Version 21.5 GA Build 171

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-140436	ATR Framework	Heartbeat endpoint switched to Red status even when threat feed is in logging mode.
NC-154639	Authentication	CSD service didn't run for Chromebook SSO.
NC-146416	Authentication	Guest user deletion didn't generate an admin event.
NC-144562	Authentication	Couldn't add users to the MFA setting after a certain limit. Web admin console showed an error.
NC-141584	Authentication	Access_server service didn't respond.
NC-141413	Authentication	Authentication outage occurred because of unresponsive read_from_client.
NC-139018	Authentication	Access-Request packet vulnerability associated with CVE-2024-3596.
NC-138431	Authentication	MFA tokens didn't work for SSL VPN users after a firmware upgrade to 20.0 MR1.
NC-146046	CDB-CFR, CM	Garner showed an error message on every appliance.
NC-141452	Certificates	IPS service failed after an upgrade to 20.0 MR1.
NC-147793	Clientless Access	Pattern update failure for SSL VPN.
NC-141997	Clientless Access	Hardened XSS protection for the VPN portal.
NC-141686	Clientless Access	Removed the notification on the VPN portal about moving VPN functionality from the user portal.
NC-140829	CM	Intermittent internet connectivity issue.
NC-133133	CM	CM Group configuration import from XG 86w failed.
NC-146950	Core Utils	Alcatel USB modem stopped working after an upgrade to 21.0 GA on SG 115 with software image installed.
NC-143615	Core Utils	USB keyboards weren't working with SFOS deployed on third-party hardware.
NC-135421	CSC	Firewall rules stopped working after a power outage.
NC-135613	DDNS	DDNS didn't show data on the web admin console.
NC-152919	Email	Users couldn't release quarantine emails from the user portal.
NC-141753	Email	Quarantine digest email showed incorrect dates in the subject field.
NC-140439	Email	The subject column in the Japanese quarantine digest email showed corrupted characters.
NC-134038	Email	Email wasn't delivered on Sophos Firewall when the subject had the "&" character, and SPX was turned on.
NC-133859	Email	DKIM signatures didn't work as expected. Emails were quarantined.
NC-137779	Firewall	User accounting was done for traffic going through network rule.
NC-131411	Firewall	For connections through SATC, forwarded traffic didn't work randomly.
NC-123910	Firewall	Kernel panic issue.
NC-152641	Firmware Management	After an upgrade to 21.0 MR1 build 237, the device stopped processing traffic due to SWAP memory configuration changes.
NC-147895	Gateway Management	DGD probing stopped in HA setup under a specific scenario.
NC-137215	HA	TCP traffic didn't work in Active-Active HA with XFRM.
NC-144474	Interface Management	Physical interfaces and expanded logical interfaces weren't visible after an upgrade to 21.0 GA.
NC-152817	IPS Engine	IPS engine stopped responding after an upgrade to 21.5 EAP0.
NC-146469	IPS Engine	IPS optimization issue with the number of cores after migration to a different appliance.
NC-141315	IPS Ruleset Management	Check the /content folder to see if the firewall has the required disk space before migrating to 21.0 GA.
NC-140666	IPS-DAQ-NSE	Unable to connect Office 365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1.
NC-140591	IPS-DAQ-NSE	Log viewer showed the error message "TLS handshake fatal alert: decode error(50)".
NC-145970	IPsec	Some XFRM routes were removed during HA failover when the unit became the primary device.
NC-144643	IPsec	After the IPsec connection was disconnected or disabled, the firewall still tried to push traffic from 1:1 IPsec NAT IP addresses into the tunnel until the strongSwan service was restarted.
NC-143095	IPsec	Couldn't download the IPsec iOS profile from the VPN portal.
NC-138822	IPsec	XFRM interface status appeared as "Not Configured" even when the IPsec tunnel was up.
NC-138180	IPsec	Auxiliary device received NAT-T IPsec packets on rekeying after an upgrade to 20.0 MR1.
NC-143051	Logging Framework	Sophos Firewall devices stopped sending logs to the Graylog syslog server.
NC-146431	MDR Framework	MDR threat feeds showed that requirements weren't met even though they were.
NC-152904	NDR sensor	Don't show the interfaces that NDR Essentials doesn't support in its drop-down list.
NC-153067	NFP-Firewall	USFP Dragonfly application stopped responding in nDPI.
NC-131085	NFP-Firewall, XGS BSP	NPU segmentation fault. No traffic was seen except on MGMT interfaces, and the interfaces were grayed out on the web admin console./td>
NC-141503	Postgres	IPS stopped responding and couldn't restart because of excessive Postgres connections.
NC-153892	PPPoE	PPPoE didn't connect due to authentication failure.
NC-146114	RED	The primary device unexpectedly restarted and failed over to the auxiliary device.
NC-144581	RED	Offline-provisioned RED became non-functional after a RED firmware upgrade.
NC-138286	Reporting	Custom view wasn't listed in the custom report when accessing the firewall through Sophos Central.
NC-137341	SDWAN Routing	The iptable entries of SDWAN routes disappeared.
NC-130534	SDWAN Routing	Web pages timed out with web proxy when using MAC-based SD-WAN rules.
NC-128242	SDWAN Routing	TFTP traffic didn't flow as expected in combination with an SD-WAN profile.
NC-141637	SecurityHeartbeat	Devices were stonewalled despite showing green health and no missing heartbeat alert in Central.
NC-149642	SSLVPN	Couldn't download SSL VPN configuration from the VPN portal.
NC-145261	SSLVPN	Incorrect count was shown on the dashboard for connected remote users in 21.0 GA.
NC-142397	SSLVPN	SSL VPN caused /tmp partition to fill up.
NC-139849	SSLVPN	Discrepancies in Site-to-site SSL VPN import validation.
NC-144955	Static Routing	Static route remained on the auxiliary device after enabling HA.
NC-141688	UI Framework	Support automatic language detection for SSO users.
NC-122478	UI Framework	Automatic scrolling in web policy placed the dialog box incorrectly.
NC-101839	UI Framework	HA widget wasn't updated.
NC-141325	Up2Date Client	Savi/Avira pattern file wasn't cleaned up after pattern installation, resulting in less space in the content partition.
NC-141078	Up2Date Client	Unable to download SSL VPN configuration file from the VPN portal after firmware upgrade.
NC-157046	VFP-Firewall	Update Dragonfly library to ignore tunnel processing.
NC-144659	WAF	Let's Encrypt service was busy.
NC-141083	WAF	Performance issues caused by Let's Encrypt.
NC-141062	WAF	ACME server couldn't issue a certificate for an IP address.
NC-140663	WAF	Invalid Let's Encrypt configuration led to the reverse proxy restarting all the time.
NC-140550	WAF	When using WAF, floating HTML with the cart content wasn't shown after adding items.
NC-140403	WAF	A pop-up appeared when you opened a WAF rule and clicked the Cancel button without modifying the WAF rule.
NC-137695	WAF	Blank IP address on WAF hosted address caused a dependency error on another WAF rule.
NC-135798	WAF	Set Cache-Control to no-cache, no-store for WAF.
NC-142515	Web	Content filter blocking didn't work with Facebook search. It worked with other websites.
NC-141088	Web	Restrict-Access-To-Tenants has a character limit of 256.
NC-140864	Web	"Missing template" appeared instead of the Sophos block page.
NC-136616	Web	AD SSO didn't work with Kerberos for a specific server and user.
NC-152907	WebInSnort	IPS service didn't respond after an upgrade to 20.0 MR3.
NC-142427	WWAN	Huawei Modem (4G dongle) didn't connect to the firewall after an upgrade to 20.0 MR2.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Form factors:
- SFOS 21.5 GA and later versions are available on all form factors.
- SFOS 21.5 GA and later versions don't support XG and SG Series hardware appliances.
LINCE: Versions 20.0 MR1 and MR2 are LINCE-compliant. For more information, read National Essential Security Certification (LINCE).

Important points to know before you upgrade to 21.5 GA

Interface names

In SFOS 21.5 GA and later versions, if any physical or logical interface has a name, hardware name, or branch name that ends in 10 or more numbers, you can't see the physical interfaces or expand them to see the logical interfaces on Network > Interfaces. For example, VLAN_1234567890. The functionality of the interfaces is not affected, and traffic is processed as usual. The issue only affects the web admin console.

Before you upgrade, make sure none of the firewall interfaces have names that end with 10 or more numbers. For more information, read Physical interfaces or expansion of logical interfaces in SFOS v21 not visible.

SSL VPN

Firewalls upgraded to 21.5 GA and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:

SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 (and earlier versions) and SFOS 21.5 GA (and later versions). We recommend that you upgrade both firewalls to 21.5 GA, 21.0 GA, 21.0 MR1, or 20.0 MR1 and later maintenance versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels.
UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 21.5 GA and later versions. We recommend that you migrate these to 21.5 GA, 21.0 GA, 21.0 MR1, or 20.0 MR1 and later maintenance versions. Alternatively, you can use site-to-site IPsec or RED tunnels.

End-of-life RED devices

21.5 GA and later versions don't support the following legacy RED devices: RED 15, 15w, and 50. They were declared end-of-life in 2023. Read Sophos RED: End-of-life of RED 15/15(w) and RED 50.

Compatible versions for firmware upgrade and backup-restore

We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

You can only restore backups from versions for which configuration migration is supported.

You can migrate the configuration from all earlier versions to 21.5 GA.

Read How to upgrade.
Read XG to XGS migration.

Upgrading firmware
Upgrade from	Upgrade to 21.5 GA Build 171
21.0 MR1 Build 277
21.0 MR1 Build 272
21.0 MR1 Build 237
21.0 GA Build 169
20.0 MR3 Build 427
20.0 MR2 Build 378
20.0 MR1 Build 342
20.0 GA Build 222
19.5 MR4 Build 718
19.5 MR3 Build 652
19.5 MR2 Build 624
19.5 MR1 Build 278
19.5 GA Build 197
All 19.0 versions

Indicates the same version or an earlier version. The table only shows upgrade information.

Sophos Central: You can schedule firmware upgrades from Sophos Central.

Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 21.5 GA only if you've regenerated the appliance certificate at least once on SFOS. The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x and later versions don't support appliance certificates with this algorithm.

Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 21.5 GA. For details, read Upgrade to 19.5 GA blocked for specific routing configurations.

Backup-restore

Backups restored to 21.5 GA

You can restore backups to firewall models with fewer ports.

Backups from versions 19.5 MR4 and later: The backup-restore assistant appears when you restore backups from XG, SG running SFOS, and XGS to XGS Series firewalls, and cloud and virtual firewalls.
Backups from versions 19.5 MR3 and earlier: The backup-restore assistant doesn't appear, and the firewall automatically maps the interfaces.

Help links

Read Backup-restore Assistant.
Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch Backup-restore enhancements.
To restore backups from Gen.1 to Gen.2 Wi-Fi desktop models, see Wireless models in Key interface mapping concepts.

Supported platforms

Version 21.5

Sophos Firewall OS version 21.5 gateway is available on the following form factors:

XGS Series firewalls
Virtual and software appliances
Cloud platforms

Additional information

SFOS 21.5 GA and later versions don't support XG and SG Series hardware appliances.
For all hardware lifecycle milestones, read Retirement calendar.
For more information about the supported firmware versions, licenses, and migration, read Firewall Licenses.

Supported firmware versions

Version 21.5 GA supports the following firmware versions:

Wi-Fi firmware 11.0.021 and earlier
RED firmware 3.0.011 and earlier
Sophos Connect:
- For Windows: Version 2.4 and earlier
- For macOS: Version 1.4 MR-1 and earlier

Support

You can find technical support for Sophos products in the following ways:

To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
Visit Sophos Support.

Legal notices

Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

Version 21.5 GA Build 171 Released on June 02, 2025

New features

NDR Essentials

Microsoft Entra ID SSO for the Sophos Connect client and VPN portal

DNS Protection

VPN and scalability

Streamlined management and quality-of-life enhancements

Other enhancements

Version 21.0

Resolved issues

Version 21.5 GA Build 171

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Important points to know before you upgrade to 21.5 GA

Interface names

SSL VPN

End-of-life RED devices

Compatible versions for firmware upgrade and backup-restore

Backup-restore

Backups restored to 21.5 GA

Help links

Supported platforms

Version 21.5

Additional information

Supported firmware versions

Support

Legal notices

Version 21.5 GA Build 171
Released on June 02, 2025