Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 22.0 GA Build 365
Released on December 09, 2025

New features

This page describes the new features introduced in this release. For more information, see Sophos Firewall help.

SFOS 22.0 GA and later versions do not support XG and SG Series hardware appliances.

Firewall health check

The new Firewall health check feature helps you quickly assess your overall firewall configuration and identify configurations that may pose a security risk. The feature evaluates dozens of configurations against CIS benchmarks and other best practices, providing immediate insight into potential vulnerabilities.

A new panel at the top of the Control center page shows the health check status. "Firewall health check" in the main menu shows the detailed report.

The feature strengthens your security posture by helping you keep your firewall up to date and optimally configured with minimal assessment effort. The key benefits are as follows:

Comprehensive evaluation of your firewall configuration
Risk identification for high-risk configurations
Actionable recommendations with a quick drill-down into areas of concern, including the need for a firmware update
The ability to go directly to the configuration that requires change

For more information, watch Firewall health check.

Secure by Design

Next-generation Xstream architecture: New control plane

The key features and benefits are as follows:

The version introduces an all-new control plane specifically architected for maximum security, scalability, and future-readiness.
The new control plane enables modularization, isolation, and containerization, allowing services such as IPS to run like apps on the firewall platform.
The control plane also enables complete separation of privileges, delivering additional security.
The firewall's self-healing capability continuously monitors system status and automatically corrects any deviations, ensuring optimal performance for SFOS.

Hardened kernel

The key features and benefits are as follows:

The next-generation Xstream architecture is built on a new hardened kernel (v6.6+), which provides enhanced security, performance, and scalability that can maximize usage in current and future hardware.
The new kernel delivers tighter process isolation and advanced mitigations for side-channel attacks and CPU vulnerabilities, such as Spectre, Meltdown, L1TF, MDS, Retbleed, ZenBleed, and Downfall.
The enhancement includes hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR) for enhanced memory safety and protection against exploitation.

Remote monitoring for system integrity

Remote monitoring is an additional security capability unique to Sophos Firewall.

SFOS now integrates Sophos XDR Sensor for Linux, which continuously monitors system integrity in real-time, detecting unauthorized configurations, rule exports, attempts to execute malicious programs, and file tampering.
The integration enhances Sophos' security team's ability to proactively monitor the entire Sophos Firewall installation base, enabling them to identify and investigate more effectively and respond faster to attacks.

New anti-malware engine

The key features and benefits are as follows:

SFOS now integrates the latest Sophos anti-malware engine, delivering enhanced zero-day protection and real-time detection of emerging threats through global reputation lookups.
SFOS leverages SophosLabs' massive cloud database of known malicious files and is updated every five minutes or less.
SFOS also introduces AI and ML model detections and provides enhanced telemetry to SophosLabs, accelerating emerging threat analysis and detection.

Security and scalability: Other enhancements

The key features and benefits are as follows:

Active threat response:
- Taegis XDR, MDR integrated with SFOS: Taegis XDR and MDR is now integrated with Active Threat Response, enabling seamless network-level threat blocking. You can push malicious IP addresses, domains, and URL information from the Taegis portal to the firewall and block threats across all relevant firewall subsystems. No manual configuration is needed.
- Logging improvements: We introduced granular logging controls for inbound and outbound traffic to reduce noise from repetitive events, such as brute-force attacks. The firewall identifies and matches inbound, forwarded traffic, such as WAF and DNAT traffic, with MDR threat feeds, NDR Essentials, and third-party threat feeds, improving detection of externally initiated threats. Additionally, the enhancement matches the source of outgoing traffic for NDR Essentials and third-party threat feeds, complementing the existing MDR threat feed support.
NDR Essentials:
- Threat score in logs: The assigned threat score is now included in the Active threat response logs for enhanced visibility, reporting, and analytics.
- Data center selection: You can now select the data center region for flow analysis performed by NDR Essentials, helping meet regional and data residency requirements. By default, the system chooses the region with the lowest latency.
Syslog enhancements: The device_name field identifies the hostname of the firewall that produced the logs, enabling clear identification across multiple firewalls. This facilitates effective syslog-based integrations and helps XDR and Taegis administrators in differentiating the data sources.
Active Directory SSO: The firewall includes a major upgrade to the Samba components that connect it to Active Directory services for Kerberos and NTLM authentication. Key benefits include improved support for Windows Server 2025 and the removal of support for older encryption protocols.
Access control for XML API: API access settings have been moved to the Administration menu. Additionally, you can allow API access based on IP hosts, which can include IP addresses, IP ranges, and networks. Previously, you could only add IP addresses. You can now add up to 64 IP hosts compared to the previous maximum limit of 10 IP addresses. The firewall automatically converts the allowed IP addresses into IP host objects when you upgrade. These migrated objects are named using the prefix "apiconfig".
Instant alerts for web categories and keywords: The firewall can raise immediate alerts based on browsing intent and behavior when you turn the feature on in Web > Categories. This capability helps schools move from reactive reporting to proactive safeguarding, protecting students when it matters most and ensuring compliance with the latest digital standards, including mandatory UK requirements for educational institutions. Real-time email notifications include a comprehensive report with details, such as date, time, user, category, and domain.
TLS 1.3 support for device access: The web admin console, VPN portal, and user portal support TLS 1.3, providing stronger encryption.
Public key authentication for admin: Only the default admin can add and delete public keys for SSH authentication.
FastPath: The firewall has optimized memory in the Data Plane Development Kit (DPDK) of the Data Acquisition (DAQ) layer, eliminating many out-of-memory instances in the following desktop firewalls: XGS 87/87w, 107/107w, and 116/116w.

Streamlined management and Quality-of-life enhancements:

The key features and benefits are as follows:

Enhanced navigation performance: You can go to any menu item or tab without waiting for the current page to load, making the web admin console faster and more responsive.
XFRM interface enhancements on the web admin console: Pagination support has been added for XFRM interfaces, along with search and filter options to simplify managing large numbers of XFRM interfaces.
NTP server settings: In fresh installations, the default NTP server setting is now "Use pre-defined NTP server".
Hardware monitoring through SNMP: The MIB file now supports the following hardware metrics:
- CPU temperature: All XGS models
- NPU temperature: XGS models other than 88/88w, 108/108w, 118/118w, 128/128w
- Fan speed: XGS models other than 88/88w and 108/108w
- Power supply status: XGS 2100 and higher models
- PoE measurements: XGS models other than XGS 116/116w
SNMPv1/v2c community: You can add the community string and select IPv4 or IPv6 versions in SNMPv1/v2c configurations. When you upgrade, the firewall copies the Name as the Community string to maintain continuity. It uses a hash of the name and IP address as the Name. The migrated name has the prefix "snmp".
sFlow monitoring: The feature provides real-time data about network traffic based on the packet sampling rate you configure. sFlow enables network troubleshooting, capacity planning, and security monitoring. It supports all physical interfaces, including dependent interfaces, such as aliases and VLANs. You can configure up to five collectors.
Cellular WAN: You can check signal strength using the following CLI command: system cellular_wan show
Automatic firewall rules for site-to-site IPsec VPN: When you select Create firewall rule in site-to-site IPsec connections, the firewall now creates two separate rules, one for incoming traffic and another for outgoing traffic, instead of the previous single rule. The corresponding prefixes for these rules are as follows: "Incoming" and "Outgoing".
MTU of XFRM interfaces: To prevent packet fragmentation and ensure reliable TCP connectivity in route-based VPN tunnels, the firewall automatically assigns an XFRM MTU value after subtracting the maximum IPsec overhead from the physical interface MTU. You can change this value to meet your network requirements.
Identifying firewalls from backup emails: The subject line of backup emails now includes the firewall's hostname, firmware version, serial number, and model. This enhancement makes it easier to identify which firewall a backup belongs to when you manage multiple firewalls.

Security and audit features

The key features and benefits are as follows:

MFA for WAF: You can enforce multi-factor authentication (MFA) on the integrated Web Application Firewall (WAF) to add an extra layer of security.
Enhanced security for WAF: Sessions are now managed by the firewall rather than through client-side cookies, making them more secure against hijacking. With this enhanced protection, you can fully offload authentication to the firewall when authentication forwarding isn't needed, reducing exposure of the internal WAF server.
SHA-256 and SHA-512 for OTP tokens: You can configure SHA-256 and SHA-512 in addition to the previously supported SHA-1 algorithm for MFA. Sophos Intercept X and third-party authenticators, such as Google Authenticator and DUO, support these stronger algorithms. The algorithm you select also applies to the default admin.
Audit trail logs: The firewall provides comprehensive audit logs in the configuration-audit.log file with before-and-after tracking of configuration changes to comply with the latest NIS2 standards. The current phase 1 offering supports audit logs for Firewall rules, Interfaces, and Hosts and services. You can download the detailed log from Diagnostics > Troubleshooting logs. All configuration changes are recorded in XML format.

Version 21.5

For information about the previous version, see 21.5 release notes.

Resolved issues

Version 22.0 GA Build 365

Fixed issues, listed by ID, description, explanation and workaround.
Issue ID	Component	Description
NC-166035	Antivirus	Intelix didn't block the `Sophostest.com` PDF test.
NC-168234	Antivirus, Web	Password-protected PDFs were considered unscannable by the antivirus engine after upgrading to SFOS 22.0.
NC-161530	ATR Framework	AbuseIPDB threat feed's polling interval didn't match the corresponding value in XGS 88.
NC-163477	Authentication	The `oauth_sso_vpn` service was unresponsive. Port 11004 was assigned to a different service.
NC-157450	Authentication	Static IP address configured in remote access IPsec VPN wasn't included in API export.
NC-157308	Authentication	IP pool assignment was incorrect for remote access IPsec VPN clients after HA failover.
NC-154639	Authentication	Administrator couldn't turn on Chromebook SSO, and the CSD service didn't run.
NC-153770	Authentication	RADIUS authorization failed when the domain wasn't configured.
NC-151205	Authentication	Incorrect username was created when there was a mismatch between the UPN and email address during a captive portal sign-in using Microsoft Entra ID.
NC-148837	Authentication	"Set password for user admin" on the CLI failed if the password contained double quotes or a backslash.
NC-145886	Authentication, Logging Framework	Sign-in events weren't included in the scheduled event report that was emailed.
NC-144523	Authentication	User group wasn't visible on the web admin console, but it was available in the database.
NC-159490	Authentication	Administrators with "Read-write" access for "Users" and "None" for "Groups" couldn't add users after an upgrade to 21.0 MR1.
NC-157668	Authentication	Couldn't set the default admin password using more than 42 characters on the web admin console.
NC-156275	Backup-Restore	Backup migration assistant failed.
NC-147708	Backup-Restore	Pseudo port error prevented an SG 125 backup from being restored to XGS 108.
NC-147793	Clientless Access	Pattern update failed for SSL VPN.
NC-160962	CM	The Garner and `fwcm-heartbeatd` services stopped.
NC-157309	CM	`fcwm-updated.log` showed the administrator's password in clear text.
NC-154362	CM	A virtual Sophos Firewall was automatically deregistered.
NC-151752	CM	Multiple firewalls showed the log viewer entry "Failed to send firewall information from device to CM".
NC-148839	CM, Reporting	The Generative AI report showed no data.
NC-158526	CM	Logging and reporting stopped working intermittently. Garner Coredump was frequently generated.
NC-151472	Dynamic Routing (RIP)	RIP with MD5 authentication wasn't RFC-compliant after an upgrade to SFOS 20.0 and 21.0 GA.
NC-154494	Email	Email processing stopped.
NC-153065	Email	Mailflow stopped responding.
NC-152919	Email	Users weren't able to release quarantine emails from the user portal.
NC-152788	Email	DKIM signing failed.
NC-144681	Email	The anti-spam service didn't respond.
NC-156931	Firewall	Administrators couldn't edit IP host and IP host groups after a firmware upgrade to SFOS 21.0. The following error appears: Host with same name already exists.
NC-147534	Firewall	Incorrect information was reflected for destination zones under "Add exclusions" in firewall rules.
NC-147168	Firewall	Remote access SSL VPN connections couldn't reach internal resources.
NC-145002	Firewall	XGS 107 went into failsafe mode, showing the reason that the NAT policy couldn't be applied.
NC-123202	Firewall	Direct proxy with DNAT didn't work when the hosted IP address was used as the interface IP address.
NC-167599	Firewall	When "Restrict client traffic during identity probe" was turned on in STAS, users were blocked.
NC-167559	Firewall	Multiple kernel crashes occurred.
NC-166565	Firewall	The `fwm:` framework template failed when STAS was turned on.
NC-166564	Firewall	Deleting a connection on the connection list didn't work.
NC-165971	Firewall	A field name was incorrectly aligned in firewall rules.
NC-165894	Firewall	HA was disabled on the primary device after a kernel panic in a virtual HA cluster in VMware.
NC-160154	Firewall	Firewall rules didn't work after an upgrade from SFOS 21.0 GA to 21.0 MR1.
NC-157489	Firewall	Use of the special character `\` in the firewall rule name prevented any rules from being detached from the rule group.
NC-152443	Firewall	A printer couldn't connect to print services over policy-based IPsec VPN.
NC-140543	Firewall	XGS 136 crashed and restarted automatically.
NC-168341	Firewall	The `/log/` partition was flooded with logs.
NC-168317	Firewall	Firewall rules didn't work after an upgrade to 22.0 EAP1 with PPPoE over VLAN.
NC-152641	Firmware Management	HA cluster didn't process traffic because of SWAP memory configuration changes after an upgrade to 21.0 MR1 Build 237.
NC-151715	Firmware Management	Auxiliary device entered fail-safe mode when it restarted.
NC-169001	Firmware Management	IPS was unresponsive in a Hyper-V VM after an upgrade to SFOS 22.0 EAP1.
NC-147895	Gateway Management	DGD probing stopped in the HA cluster when the device status changed.
NC-158798	HA	The following error occurred repeatedly in HA msync logs: `/tmp/hb_sac_`.
NC-149039	HA	HA status changed repeatedly, and a crash dump occurred when the dedicated link was a LAG interface.
NC-147739	HA	HA synchronization failed after a power outage.
NC-147307	HA	HA failover caused a restart loop in XGS 2300 devices.
NC-157414	Hotspot	Administrators couldn't delete expired hotspot vouchers.
NC-143042	Interface Management	Bridge interface didn't load in multiple appliances.
NC-154237	IPsec	IPsec connection filter didn't work.
NC-154660	IPsec	The firewall couldn't initiate IPsec connections. Strongswan was in a busy status.
NC-149918	IPsec	IPsec tunnel was terminated, and alerts were generated by the auxiliary device on Sophos Central.
NC-147593	IPsec	After a restart, IPsec tunnel didn't come up, and the failover group needed to be turned off and back on.
NC-166013	IPsec	The interface hamburger menu didn't work.
NC-152817	IPS Engine	IPS engine was unresponsive.
NC-152494	IPS Engine	HTTPS stream occasionally failed to detect requests, allowing encrypted files to be uploaded.
NC-153049	IPS Ruleset Management	IPS signature was missing under the default IPS policies.
NC-159802	Licensing	Administrators with a read-only profile couldn't see the licensing page, although the module had read-only access turned on.
NC-142006	Logging, Reporting	Log viewer's filtered output didn't give the expected result with the time filter "Last 10 Minutes".
NC-157663	Logging Framework	Firewall stopped logging reports after an upgrade from SFOS 20.0 MR3 to 21.0 MR1.
NC-157572	Logging Framework	HA cluster couldn't establish HA.
NC-154459	Logging Framework	The firewall was occasionally unable to upload data to Sophos Central.
NC-152924	Logging Framework	Log settings weren't applied to Sophos Central reporting.
NC-148674	Logging Framework	`/var/` alerts weren't flushed from the Control center.
NC-143913	Logging Framework	Spikes occurred in system graph values in the auxiliary device.
NC-143491	Logging Framework	An updated loop in `syshealth` thread time prevented HA from being established.
NC-135594	Logging Framework	Garner syslog fd corruption resulted in data being sent to the wrong fd.
NC-169237	Logging Framework	Log viewer lost events because of its database corruption.
NC-152904	NDR essentials	Unsupported interfaces were shown in NDR-Essentials for traffic monitoring.
NC-157335	NFP-Firewall	Policy-based IPsec VPN showed poor performance when IPsec acceleration was on after migrating from XG to XGS.
NC-155526	NFP-Firewall	Spurious mflow offload resulted in hairpin tunnel flow with a VLAN interface, sending initial IPsec traffic back out through a different IPsec link.
NC-153067	NFP-Firewall	USFP/Dragonfly application crashed in nDPI.
NC-164835	NFP-Firewall	USFP crashed with the checksum calculation for runt IP packets.
NC-168268	NFP-Firewall	Firewall acceleration wasn't available in old hardware and some VMs because of unsupported drivers.
NC-153892	PPPoE	PPPoE didn't connect because of an authentication failure.
NC-153995	RED	RED devices didn't connect over the second interface after migration from XG Firewall to virtual firewall.
NC-146826	RED	Incorrect `/24` subnet mask was used for the RED system host object instead of `/32`.
NC-143033	RED	XGS 126 restarted automatically, resulting in HA failover.
NC-159433	Reporting	Log viewer and CSV export didn't include all logs when more logs were loaded while the administrator scrolled down in Log viewer.
NC-147935	Reporting	Administrator couldn't generate custom reports for a timestamp before the firmware upgrade.
NC-131090	Reporting	Email addresses were case-sensitive.
NC-160952	Reporting	Custom logo didn't appear in the scheduled report of the auxiliary device.
NC-153889	Reporting	The `df` and `du` commands showed different values.
NC-168253	Reporting	Daily executive reports didn't show entries on separate lines in plain text emails.
NC-157194	SDWAN Routing	Reply packets of system-destined traffic matched SD-WAN routes, even when the CLI command `sd-wan-policy-route reply-packet` was turned off.
NC-157253	SecurityHeartbeat	Heartbeat service was unresponsive. Passphrase decryption failed.
NC-157578	SecurityHeartbeat	Heartbeat communication through SSL VPN was blocked.
NC-147082	SecurityHeartbeat	Log viewer entry showed that the security global configuration was changed by support when the administrator clicked Sophos Central in the firewall.
NC-145975	SecurityHeartbeat	XGS 87 became unresponsive with an out-of-memory kernel panic.
NC-157688	SecurityHeartbeat	`garner.log` repeatedly showed the following error log: "Send message header to heartbeatd failed: Bad file descriptor".
NC-148675	SNMP	Some OIDs in the VPN tree didn't work.
NC-147693	SNMP	SNMP files weren't RFC-compliant.
NC-169565	SNMP	MIB value for "sfos live users count" showed the following error: "No Such Instance currently exists at this OID".
NC-169564	SNMP	MIB values for hardware sensors were strings rather than integers.
NC-168231	Snort-app	IPS service was unresponsive in XGS 126.
NC-149642	SSLVPN	Users couldn't download the SSL VPN configuration file from the VPN portal.
NC-145588	SSLVPN	Disconnecting an SSL VPN tunnel over the Sophos Connect client deleted the content of the `/tmp` folder.
NC-165823	SSLVPN	Firewall upgrade failed when the permitted networks in SSL VPN policies weren't mutually exclusive.
NC-168544	SSLVPN	Users couldn't access the resource when the SSL VPN's TUN IP address was also part of the remote subnets in policy-based IPsec VPN.
NC-169851	Static Routing	Geolocation allow rules stopped working in SFOS 22.0 EAP1.
NC-152342	Synchronized App Control	Primary device was automatically deregistered from Sophos Central, and HA wasn't established.
NC-101839	UI Framework	HA widget wasn't updated.
NC-165899	UI Framework	System section layout on Control center wasn't aligned when the resolution was 4K or higher.
NC-165825	UI Framework	NDR Essentials showed a "Doesn't comply" status in Firewall health check for virtual firewalls.
NC-165821	UI Framework	In QHD 1440P resolution, web admin console pages are incorrectly aligned.
NC-169472	UI Framework	Firewall health check incorrectly showed a "Doesn't comply" status for Firewall rules.
NC-167645	UI Framework	Firewall health check sorting didn't persist after the Override status button was clicked.
NC-166530	UI Framework	Animation of the hover action for menu tabs was erratic.
NC-159731	Up2Date Client	RED 3.0.011 installation failed.
NC-152859	VFP-Firewall	IPsec egress offload on virtual FastPath resulted in corrupted packets when the source interface was a VLAN.
NC-168308	VFP-Firewall	SFOS Home Edition on SG 125 didn't recognize the SFP port after an upgrade to SFOS 22.0 EAP1.
NC-156694	WAF	WAF alert appeared on the Control center for an older rule that no longer existed.
NC-156668	WAF	Let's Encrypt certificate wasn't created, and WAF restart failed.
NC-152608	WAF	A WAF-hosted website didn't behave correctly when cookie signing was turned on.
NC-152540	WAF	WAF rule automatically turned off and back on repeatedly.
NC-152022	WAF	Let's Encrypt certificate request didn't work because the automatic firewall rule was missing.
NC-148937	WAF	Let's Encrypt certificate wasn't created.
NC-166179	WAF	Renewal of the Let's Encrypt certificate didn't trigger a WAF restart.
NC-165612	WAF	Apache fix for CVE-2025-23048 broke the proxy configuration in WAF when the upstream proxy didn't send the correct SNI.
NC-159968	WebInSnort	IPS service was unresponsive.
NC-158238	WebInSnort	IPS service was unresponsive because the resumption_cache KV store couldn't initialize.
NC-152907	WebInSnort	IPS service was unresponsive after an upgrade to SFOS 20.0 MR3.
NC-143421	WebInSnort	An intermittent website access issue occurred with DPI and SSL/TLS inspection in a virtual firewall.
NC-166068	WebInSnort	IPS was unresponsive after an upgrade to SFOS 21.5 GA.
NC-165419	WebInSnort	IPS service crashed when the firewall was restarted.
NC-151810	Wireless	Failed to delete wireless network through the API.
NC-169471	Wireless	MT7915e driver showed a time-out issue.
NC-158549	WWAN	Cellular module didn't try to reconnect when the cellular interface name was changed from "WWAN1".
NC-153394	WWAN	`/dev/urandom` permission change resulted in zombie `syslog-ng` processes.
NC-166205	WWAN	WWAN with the 5G Quectel module from Sophos went into connecting status after receiving a gateway live-to-dead event.
NC-157280	XGS BSP	Traffic didn't flow through the remote access IPsec tunnel after IPsec acceleration was turned on.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Form factors:
- SFOS 22.0 GA and later versions are available on all form factors.
- SFOS 22.0 GA and later versions don't support XG and SG Series hardware appliances.
LINCE: Versions 20.0 MR1 and MR2 are LINCE-compliant. For more information, read National Essential Security Certification (LINCE).

Compatible versions for firmware upgrade and backup-restore

We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

You can only restore backups from versions for which configuration migration is supported.

You can migrate the configuration from all earlier versions to 22.0 GA.

Read How to upgrade.
Read XG to XGS migration.

Upgrading firmware
Upgrade from	Upgrade to 22.0 GA Build 365
21.5 MR1 Build 261
21.5 GA Build 171
21.0 MR2 Build 349
21.0 MR1 Build 277
21.0 MR1 Build 272
21.0 MR1 Build 237
21.0 GA Build 169
All 20.0 versions
All 19.5 versions
All 19.0 versions

Sophos Central: You can schedule firmware upgrades from Sophos Central.

Important points to know before you upgrade to 22.0 GA

SFOS 22.0 requires additional disk space

SFOS 22.0 and later versions require additional disk space to accommodate upcoming new features and enhanced functionality. Most appliances already meet these requirements; however, a subset of desktop, virtual, and software deployments may require manual intervention before they can upgrade.

Appliances that have sufficient disk space but require resizing take a slightly longer upgrade time, ranging from two to ten minutes, because the root partition is resized during the upgrade.

Watch Upgrade paths to SFOS 22.0.
If you see a Control center alert or firmware page notification about disk space requirements, read Requirements and resolution to upgrade to SFOS 22.0 and later.

Interface names

In SFOS 21.5 GA and later versions, if any physical or logical interface has a name, hardware name, or branch name that ends in 10 or more numbers, you can't see the physical interfaces or expand them to see the logical interfaces on Network > Interfaces. For example, VLAN_1234567890. The functionality of the interfaces is not affected, and traffic is processed as usual. The issue only affects the web admin console.

Before you upgrade, make sure none of the firewall interfaces have names that end with 10 or more numbers. For more information, read Physical interfaces or expansion of logical interfaces in SFOS v21 not visible.

SSL VPN

Firewalls upgraded to 21.5 GA and later versions won't establish SSL VPN tunnels with UTM9 OS. We recommend that you migrate these to 20.0 MR1 or later maintenance versions. Alternatively, you can use site-to-site IPsec or RED tunnels.

End-of-life RED devices

21.5 GA and later versions don't support the following legacy RED devices: RED 15, 15w, and 50. They were declared end-of-life in 2023. Read Sophos RED: End-of-life of RED 15/15w and RED 50.

Backup-restore

Backups restored to 22.0 GA and later

You can restore backups to firewall models with fewer ports.

Backups from versions 19.5 MR4 and later: The backup-restore assistant appears when you restore backups from XG, SG running SFOS, and XGS to XGS Series firewalls, and cloud and virtual firewalls.
Backups from versions 19.5 MR3 and earlier: The backup-restore assistant doesn't appear, and the firewall automatically maps the interfaces.

Help links

Read Backup-restore Assistant.
Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
Watch Backup-restore enhancements.
To restore backups from Gen.1 to Gen.2 Wi-Fi desktop models, see Wireless models in Key interface mapping concepts.

Supported platforms

Version 21.5

Sophos Firewall OS version 21.5 gateway is available on the following form factors:

XGS Series firewalls
Virtual and software appliances
Cloud platforms

Additional information

SFOS 21.5 GA and later versions don't support XG and SG Series hardware appliances.
For all hardware lifecycle milestones, read Retirement calendar.
For more information about the supported firmware versions, licenses, and migration, read Firewall Licenses.

Supported firmware versions

Version 21.5 GA supports the following firmware versions:

Wi-Fi firmware 11.0.021 and earlier
RED firmware 3.0.011 and earlier
Sophos Connect:
- For Windows: Version 2.5 and earlier
- For macOS: Version 1.4 MR-1 and earlier

Support

You can find technical support for Sophos products in the following ways:

To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
Visit Sophos Support.

Legal notices

Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.