These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).
This page describes the new features introduced in this release. For more information, see the Sophos Firewall help.
SFOS 21.0 GA and later versions, including SFOS 21.5 do not support XG and SG Series hardware appliances.
The firewall supports OAuth 2.0 as an additional authentication method for the email notifications it sends. We recommend that you move to OAuth 2.0 for Gmail. Gmail may stop supporting password-based authentication very soon.
Read Notification settings.
NDR Essentials delivers the following enhancements:
The firewall supports Windows Server 2025 for Active Directory SSO (NTLM and Kerberos) authentication.
RED system host objects now have the correct subnet mask of /32. You can see system host details in Hosts and services > IP host. Previously, when you created a RED interface, the system host was assigned the subnet mask you configured.
If you're using the RED system host for traffic other than a /32 subnet in configurations, such as firewall rules, the traffic won't match any longer. To resolve this, you must replace the RED system host with the correct IP host or network host in these dependent configurations.
The legacy RED site-to-site tunnels (Legacy firewall RED server and client configurations) won't be supported in SFOS 22.0 and later. We recommend that you migrate to the supported RED site-to-site or VPN tunnels.
The firewall can generate scheduled PDF reports in multiple languages. They are automatically generated in the language the administrator uses when signing in to the firewall to schedule them.
The device_name field captures the hostname of the firewall that produced the logs, enabling clear identification across multiple firewalls. This facilitates effective syslog-based integrations and helps XDR and Taegis administrators in differentiating the data sources.
The security enhancements in high availability configurations are as follows:
ha.log, has been enhanced to include the node name and the current role information.The hotspots page in the user portal has a "Created date" column. You can sort vouchers based on the date you've created them, which lets you see the latest vouchers at the top.
Improved RFC compliance in SNMP MIB files to enhance compatibility with third-party SNMP tools. The firewall supports the following RFCs for the MIB file:
More features, including most of the network menu, SD-WAN routes and profiles, gateways, and local service ACL exception rules support resizable columns. When you resize a column, the change is stored in the browser memory, and the resized column appears when you visit the page again.
Data usage for live users is now shown using the standard unit formats (KB, MB, and GB) for enhanced usability.
This page describes the new features introduced in this release. For more information, see the Sophos Firewall help.
SFOS 21.0 GA and later versions, including SFOS 21.5 GA, do not support XG and SG Series hardware appliances.
Sophos NDR Essentials is now integrated with Sophos Firewall, offering a new layer of threat protection under Active threat response. It analyzes traffic flows using cloud-hosted NDR Machine Learning, offloading heavy processing to the cloud.
NDR Essentials inspects traffic using the following engines:
The detection triggers logs, alerts, and notifications based on thresholds that you specify.
The feature is currently available as part of the Xstream Protection bundle for XGS Series firewalls only.
See the following resources:
Users can establish remote access IPsec and SSL VPN tunnels using their network credentials.
See the following resources:
Sophos DNS Protection was previously integrated with Sophos Firewall. The service protects against malicious domains and risky DNS activities across your network.
This release provides the following enhancements:
This feature is included in the Xstream Protection bundle.
See the following resources:
This version offers important enhancements to VPN connections and scalability.
This version offers multiple quality-of-life enhancements to simplify and improve firewall management.
Watch Quality-of-life enhancements.
This version offers other important enhancements.
| Issue ID | Component | Description |
|---|---|---|
| NC-144523 | Authentication | User group wasn't visible on the web admin console, but was available in the database. |
| NC-145886 | Authentication, Logging Framework | Sign-in events weren't visible in the scheduled event report sent over email. |
| NC-148837 | Authentication | "Set password for User Admin" on the CLI failed if the password contained double quotes or a backslash. |
| NC-151205 | Authentication | Captive portal sign-in page reappeared after the user signed in through Microsoft Entra ID SSO. |
| NC-153770 | Authentication | RADIUS authorization failed if the domain wasn't configured. |
| NC-154794 | Authentication | Special character in admin user's password wasn't encoded when they signed in to the auxiliary device with OTP turned on. |
| NC-157308 | Authentication | Incorrect IP address assigned to remote access IPsec VPN clients after HA failover. |
| NC-157450 | Authentication | API export didn't include the static IP address configured in remote access IPsec VPN. |
| NC-157668 | Authentication | Couldn't set the admin password over the web admin console when it exceeded 42 characters. |
| NC-163477 | Authentication | oauth_sso_vpn service showed a dead status for Microsoft Entra ID SSO authentication because the corresponding port was assigned to a different service. |
| NC-147708 | Backup-Restore | During the restoration of a backup from SG 125 to XGS 108, an error related to pseudo ports appeared, preventing the backup from being restored. |
| NC-156275 | Backup-Restore | Couldn't restore backup using the Backup-restore assistant. |
| NC-148839 | CM, Reporting | Generative AI report showed no data. |
| NC-151752 | CM | Multiple firewalls showed the following log viewer entry: "Failed to send firewall information from device to CM". |
| NC-154362 | CM | Virtual firewall was automatically deregistered. |
| NC-157309 | CM | fcwm-updated.log showed customer's admin password in clear text. |
| NC-158526 | CM | Logging and reporting stopped working intermittently. Garner coredump occurred frequently. |
| NC-160962 | CM | Garner and fwcm-heartbeatd services stopped. |
| NC-151472 | Dynamic Routing (RIP) | RIP with MD5 authentication wasn't RFC-compliant after an upgrade to 20.0 GA and 21.0 GA. |
| NC-144681 | Anti-spam service didn't respond. | |
| NC-152788 | Alert emails sent by the firewall failed the DKIM check in Sophos Central email. | |
| NC-153065 | Mail flow stopped. | |
| NC-154494 | Email processing stopped. | |
| NC-123202 | Firewall | Direct proxy with DNAT rule didn't work when the hosted IP address was used as the interface IP address. |
| NC-145002 | Firewall | XGS 107 went into failsafe mode, showing the reason "Cannot apply NAT policy". |
| NC-147168 | Firewall | Remote access SSL VPN users weren't able to access or ping internal resources. |
| NC-147534 | Firewall | Firewall rule with exclusion showed incorrect information for the destination zone. |
| NC-152443 | Firewall | Printer was unable to connect to print services over policy-based IPsec VPN. |
| NC-156931 | Firewall | Couldn't edit the IP host object and IP host group after firmware upgrade to SFOS 21.0.0.169. The following error appeared: "Host with same name already exists". |
| NC-151715 | Firmware Management | Auxiliary device entered failsafe mode on restart. System restart failed. |
| NC-147307 | HA | In XGS 2300, HA failover caused a restart loop for the devices. |
| NC-147739 | HA | HA synchronization failed after a power outage. |
| NC-149039 | HA | HA status flapped and crash dump occurred when two interfaces were used as the dedicated link. |
| NC-158798 | HA | Errors were found in the HA msync logs. |
| NC-157414 | Hotspot | Couldn't delete expired hotspot vouchers. |
| NC-143042 | Interface Management | Bridge interface didn't load on multiple appliances. |
| NC-147593 | IPsec | After a restart, the IPsec tunnel didn't come up, and the failover group needed to be turned on and off. |
| NC-149918 | IPsec | Alerts were generated for the auxiliary HA device in Sophos Central that an IPsec tunnel was terminated even though traffic wasn't impacted. |
| NC-154660 | IPsec | Couldn't initiate an IPsec connection. Strongswan was in busy status. |
| NC-152494 | IPS Engine | HTTPS stream didn't detect requests occasionally, preventing an encrypted file from being blocked. |
| NC-153049 | IPS Ruleset Management | IPS signature was missing in the default IPS policies. |
| NC-159802 | Licensing | Administrator with a read-only administrator profile couldn't see the licensing page, although read-only access was turned on. |
| NC-142006 | Logging, Reporting | Log viewer filter didn't give the expected output when the following time filter was selected: "Last 10 Minutes". |
| NC-135594 | Logging Framework | Garner syslog fd corruption caused data to be sent to the wrong fd. |
| NC-143491 | Logging Framework | HA wasn't established because of the syshealth thread's time update loop. |
| NC-143913 | Logging Framework | Spikes in system graph values appeared in the auxiliary device. |
| NC-148674 | Logging Framework | /var alerts weren't removed from the Control center. |
| NC-152924 | Logging Framework | Log settings configuration wasn't applied to Central Reporting. |
| NC-154459 | Logging Framework | Couldn't upload Sophos Central data sometimes. |
| NC-157663 | Logging Framework | Firewall stopped logging reports after firmware upgrade from 20.0 MR3 to 21.0 MR1. |
| NC-155526 | NFP-Firewall | Incorrect mflow offload occurred in a hairpin tunnel with one VLAN interface. |
| NC-157335 | NFP-Firewall | After migrating from XG to XGS appliance, policy-based IPsec VPN showed poor performance. IPsec acceleration was on. |
| NC-143033 | RED | XGS 126 automatically restarted and resulted in HA failover. |
| NC-146826 | RED | RED system host object had the incorrect subnet mask /24 instead of /32.If you're using the RED system host for traffic other than a |
| NC-149649 | RED | Kernel crash dump occurred. |
| NC-153995 | RED | RED devices didn't connect after migrating from XG to a virtual firewall. |
| NC-131090 | Reporting | The same address was shown twice because of case-sensitivity. |
| NC-147935 | Reporting | Couldn't generate custom reports for the time before the firmware upgrade. |
| NC-153889 | Reporting | Difference was observed in the result between the df and du commands. |
| NC-159433 | Reporting | Logs were missing in the Log viewer and CSV export when the admin scrolled down and more logs were loaded. |
| NC-160952 | Reporting | Custom logo didn't appear in the scheduled report for the auxiliary device. |
| NC-157578 | SecurityHeartbeat | Heartbeat communication through SSL VPN was blocked. |
| NC-157688 | SecurityHeartbeat | Repetitive error logs appeared in garner.log: "Send message header to heartbeatd failed: Bad file descriptor". |
| NC-147693 | SNMP | SNMP files weren't RFC-compliant. |
| NC-148675 | SNMP | Some OIDs didn't work in the VPN tree. |
| NC-145588 | SSLVPN | Content of the /tmp directory was deleted when an SSL VPN connection over the Sophos Connect client was disconnected. |
| NC-141078 | Up2Date Client | Couldn't download the SSL VPN configuration file from the VPN portal after a firmware upgrade. |
| NC-159731 | Up2Date Client | Couldn't install the RED pattern update 3.0.011. |
| NC-160061 | VFP-Firewall | XGS 128 restarted automatically because of kernel panic during IPsec acceleration. |
| NC-148937 | WAF | Couldn't create the Let's Encrypt certificate. |
| NC-152022 | WAF | Let's Encrypt certificate request didn't work because the automatic firewall rule was missing. |
| NC-152540 | WAF | WAF rule was automatically turned on and off continually. |
| NC-152608 | WAF | Website hosted on WAF behaved incorrectly when cookie signing was turned on. |
| NC-156694 | WAF | WAF alert showed up on the Control center for an older rule that no longer existed. |
| NC-165612 | WAF | Apache fix for CVE-2025-23048 broke the proxy configuration in WAF when the upstream proxy didn't send the correct SNI. |
| NC-151591 | Web | Windows Server 2025 compatibility issues occurred with AD SSO. |
| NC-143421 | WebInSnort | An intermittent website access issue was observed with DPI and SSL/TLS inspection in a virtual firewall. |
| NC-158238 | WebInSnort | IPS service didn't respond because the resumption_cache KV store couldn't initialize. |
| NC-159968 | WebInSnort | IPS service didn't respond. |
| NC-165419 | WebInSnort | IPS service didn't respond. IPS pattern update failed. |
| NC-166068 | WebInSnort | IPS stopped responding after an upgrade to SFOS 21.5 GA. |
| NC-151810 | Wireless | Couldn't delete wireless network through API. |
| NC-153394 | WWAN | A large number of syslog-ng zombie processes occurred and were increasing. |
| NC-158549 | WWAN | Cellular module didn't reconnect if the cellular interface name was changed from WWAN1 to a different one. |
| NC-157280 | XGS BSP | When IPsec acceleration was on, traffic didn't flow through remote access IPsec VPN. |
| Issue ID | Component | Description |
|---|---|---|
| NC-140436 | ATR Framework | Heartbeat endpoint switched to Red status even when threat feed is in logging mode. |
| NC-154639 | Authentication | CSD service didn't run for Chromebook SSO. |
| NC-146416 | Authentication | Guest user deletion didn't generate an admin event. |
| NC-144562 | Authentication | Couldn't add users to the MFA setting after a certain limit. Web admin console showed an error. |
| NC-141584 | Authentication | Access_server service didn't respond. |
| NC-141413 | Authentication | Authentication outage occurred because of unresponsive read_from_client. |
| NC-139018 | Authentication | Access-Request packet vulnerability associated with CVE-2024-3596. |
| NC-138431 | Authentication | MFA tokens didn't work for SSL VPN users after a firmware upgrade to 20.0 MR1. |
| NC-146046 | CDB-CFR, CM | Garner showed an error message on every appliance. |
| NC-141452 | Certificates | IPS service failed after an upgrade to 20.0 MR1. |
| NC-147793 | Clientless Access | Pattern update failure for SSL VPN. |
| NC-141997 | Clientless Access | Hardened XSS protection for the VPN portal. |
| NC-141686 | Clientless Access | Removed the notification on the VPN portal about moving VPN functionality from the user portal. |
| NC-140829 | CM | Intermittent internet connectivity issue. |
| NC-133133 | CM | CM Group configuration import from XG 86w failed. |
| NC-146950 | Core Utils | Alcatel USB modem stopped working after an upgrade to 21.0 GA on SG 115 with software image installed. |
| NC-143615 | Core Utils | USB keyboards weren't working with SFOS deployed on third-party hardware. |
| NC-135421 | CSC | Firewall rules stopped working after a power outage. |
| NC-135613 | DDNS | DDNS didn't show data on the web admin console. |
| NC-152919 | Users couldn't release quarantine emails from the user portal. | |
| NC-141753 | Quarantine digest email showed incorrect dates in the subject field. | |
| NC-140439 | The subject column in the Japanese quarantine digest email showed corrupted characters. | |
| NC-134038 | Email wasn't delivered on Sophos Firewall when the subject had the "&" character, and SPX was turned on. | |
| NC-133859 | DKIM signatures didn't work as expected. Emails were quarantined. | |
| NC-137779 | Firewall | User accounting was done for traffic going through network rule. |
| NC-131411 | Firewall | For connections through SATC, forwarded traffic didn't work randomly. |
| NC-123910 | Firewall | Kernel panic issue. |
| NC-152641 | Firmware Management | After an upgrade to 21.0 MR1 build 237, the device stopped processing traffic due to SWAP memory configuration changes. |
| NC-147895 | Gateway Management | DGD probing stopped in HA setup under a specific scenario. |
| NC-137215 | HA | TCP traffic didn't work in Active-Active HA with XFRM. |
| NC-144474 | Interface Management | Physical interfaces and expanded logical interfaces weren't visible after an upgrade to 21.0 GA. |
| NC-152817 | IPS Engine | IPS engine stopped responding after an upgrade to 21.5 EAP0. |
| NC-146469 | IPS Engine | IPS optimization issue with the number of cores after migration to a different appliance. |
| NC-141315 | IPS Ruleset Management | Check the /content folder to see if the firewall has the required disk space before migrating to 21.0 GA. |
| NC-140666 | IPS-DAQ-NSE | Unable to connect Office 365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1. |
| NC-140591 | IPS-DAQ-NSE | Log viewer showed the error message "TLS handshake fatal alert: decode error(50)". |
| NC-145970 | IPsec | Some XFRM routes were removed during HA failover when the unit became the primary device. |
| NC-144643 | IPsec | After the IPsec connection was disconnected or disabled, the firewall still tried to push traffic from 1:1 IPsec NAT IP addresses into the tunnel until the strongSwan service was restarted. |
| NC-143095 | IPsec | Couldn't download the IPsec iOS profile from the VPN portal. |
| NC-138822 | IPsec | XFRM interface status appeared as "Not Configured" even when the IPsec tunnel was up. |
| NC-138180 | IPsec | Auxiliary device received NAT-T IPsec packets on rekeying after an upgrade to 20.0 MR1. |
| NC-143051 | Logging Framework | Sophos Firewall devices stopped sending logs to the Graylog syslog server. |
| NC-146431 | MDR Framework | MDR threat feeds showed that requirements weren't met even though they were. |
| NC-152904 | NDR sensor | Don't show the interfaces that NDR Essentials doesn't support in its drop-down list. |
| NC-153067 | NFP-Firewall | USFP Dragonfly application stopped responding in nDPI. |
| NC-131085 | NFP-Firewall, XGS BSP | NPU segmentation fault. No traffic was seen except on MGMT interfaces, and the interfaces were grayed out on the web admin console./td> |
| NC-141503 | Postgres | IPS stopped responding and couldn't restart because of excessive Postgres connections. |
| NC-153892 | PPPoE | PPPoE didn't connect due to authentication failure. |
| NC-146114 | RED | The primary device unexpectedly restarted and failed over to the auxiliary device. |
| NC-144581 | RED | Offline-provisioned RED became non-functional after a RED firmware upgrade. |
| NC-138286 | Reporting | Custom view wasn't listed in the custom report when accessing the firewall through Sophos Central. |
| NC-137341 | SDWAN Routing | The iptable entries of SDWAN routes disappeared. |
| NC-130534 | SDWAN Routing | Web pages timed out with web proxy when using MAC-based SD-WAN rules. |
| NC-128242 | SDWAN Routing | TFTP traffic didn't flow as expected in combination with an SD-WAN profile. |
| NC-154503 | SecurityHeartbeat | XGS 87 had an out-of-memory kernel panic with a memory leak in heartbeatd. |
| NC-141637 | SecurityHeartbeat | Devices were stonewalled despite showing green health and no missing heartbeat alert in Central. |
| NC-149642 | SSLVPN | Couldn't download SSL VPN configuration from the VPN portal. |
| NC-145261 | SSLVPN | Incorrect count was shown on the dashboard for connected remote users in 21.0 GA. |
| NC-142397 | SSLVPN | SSL VPN caused /tmp partition to fill up. |
| NC-139849 | SSLVPN | Discrepancies in Site-to-site SSL VPN import validation. |
| NC-144955 | Static Routing | Static route remained on the auxiliary device after enabling HA. |
| NC-141688 | UI Framework | Support automatic language detection for SSO users. |
| NC-122478 | UI Framework | Automatic scrolling in web policy placed the dialog box incorrectly. |
| NC-101839 | UI Framework | HA widget wasn't updated. |
| NC-141325 | Up2Date Client | Savi/Avira pattern file wasn't cleaned up after pattern installation, resulting in less space in the content partition. |
| NC-141078 | Up2Date Client | Unable to download SSL VPN configuration file from the VPN portal after firmware upgrade. |
| NC-157046 | VFP-Firewall | Update Dragonfly library to ignore tunnel processing. |
| NC-144659 | WAF | Let's Encrypt service was busy. |
| NC-141083 | WAF | Performance issues caused by Let's Encrypt. |
| NC-141062 | WAF | ACME server couldn't issue a certificate for an IP address. |
| NC-140663 | WAF | Invalid Let's Encrypt configuration led to the reverse proxy restarting all the time. |
| NC-140550 | WAF | When using WAF, floating HTML with the cart content wasn't shown after adding items. |
| NC-140403 | WAF | A pop-up appeared when you opened a WAF rule and clicked the Cancel button without modifying the WAF rule. |
| NC-137695 | WAF | Blank IP address on WAF hosted address caused a dependency error on another WAF rule. |
| NC-135798 | WAF | Set Cache-Control to no-cache, no-store for WAF. |
| NC-142515 | Web | Content filter blocking didn't work with Facebook search. It worked with other websites. |
| NC-141088 | Web | Restrict-Access-To-Tenants has a character limit of 256. |
| NC-140864 | Web | "Missing template" appeared instead of the Sophos block page. |
| NC-136616 | Web | AD SSO didn't work with Kerberos for a specific server and user. |
| NC-152907 | WebInSnort | IPS service didn't respond after an upgrade to 20.0 MR3. |
| NC-142427 | WWAN | Huawei Modem (4G dongle) didn't connect to the firewall after an upgrade to 20.0 MR2. |
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
In SFOS 21.5 GA and later versions, if any physical or logical interface has a name, hardware name, or branch name that ends in 10 or more numbers, you can't see the physical interfaces or expand them to see the logical interfaces on Network > Interfaces. For example, VLAN_1234567890. The functionality of the interfaces is not affected, and traffic is processed as usual. The issue only affects the web admin console.
Before you upgrade, make sure none of the firewall interfaces have names that end with 10 or more numbers. For more information, read Physical interfaces or expansion of logical interfaces in SFOS v21 not visible.
Firewalls upgraded to 21.5 GA and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:
21.5 GA and later versions don't support the following legacy RED devices: RED 15, 15w, and 50. They were declared end-of-life in 2023. Read Sophos RED: End-of-life of RED 15/15(w) and RED 50.
We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
You can only restore backups from versions for which configuration migration is supported.
You can migrate the configuration from all earlier versions to 21.5 GA.
| Upgrade from | Upgrade to 21.5 MR1 Build 261 | Upgrade to 21.5 GA Build 171 |
|---|---|---|
| 21.5 GA Build 171 | ||
| 21.0 MR2 Build 349 | ||
| 21.0 MR1 Build 277 | ||
| 21.0 MR1 Build 272 | ||
| 21.0 MR1 Build 237 | ||
| 21.0 GA Build 169 | ||
| 20.0 MR3 Build 427 | ||
| 20.0 MR2 Build 378 | ||
| 20.0 MR1 Build 342 | ||
| 20.0 GA Build 222 | ||
| 19.5 MR4 Build 718 | ||
| 19.5 MR3 Build 652 | ||
| 19.5 MR2 Build 624 | ||
| 19.5 MR1 Build 278 | ||
| 19.5 GA Build 197 | ||
| All 19.0 versions |
Indicates the same version or an earlier version. The table only shows upgrade information.
Sophos Central: You can schedule firmware upgrades from Sophos Central.
Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 21.5 GA only if you've regenerated the appliance certificate at least once on SFOS. The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x and later versions don't support appliance certificates with this algorithm.
Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 21.5 GA. For details, read Upgrade to 19.5 GA blocked for specific routing configurations.
You can restore backups to firewall models with fewer ports.
Sophos Firewall OS version 21.5 gateway is available on the following form factors:
Version 21.5 GA supports the following firmware versions:
You can find technical support for Sophos products in the following ways:
Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.