MAC address blocking
You can block traffic from specific MAC addresses across all VLANs on Monitor > MAC address table > MAC blocking.
You can view the list of blocked MAC addresses on the new Blocking list tab.
These are the release notes for Sophos Switch.
The features mentioned in these release notes are only available if you have the appropriate license.
View the product documentation at Sophos Switch.
You can block traffic from specific MAC addresses across all VLANs on Monitor > MAC address table > MAC blocking.
You can view the list of blocked MAC addresses on the new Blocking list tab.
There are no new Sophos Central features for this release.
| Issue ID | Component | Description |
|---|---|---|
| NSW-6894 | Switch | Fixed an issue that caused backups to fail. |
| NSW-6313 | Switch | Fixed an issue that stopped switches from sending NTP traffic when an FQDN was used. |
| NSW-6238 | Switch | Fixed an issue that caused RADIUS configuration on the local Sophos Switch UI and CLI to be out of sync. |
| NSW-5982 | Switch | Fixed an issue where multiple switches lost connectivity to Sophos Central and had to be restarted to restore HTTP or SSH access. |
| NSW-5836 | Switch | Fixed an issue where pings from the switch to a PC weren't working. |
| NSW-5474 | Switch | Fixed an issue where Port 5 couldn't be configured for untagged VLAN traffic. |
| NSW-5461 | Switch | Fixed an issue where there was no traffic after client reboot and no MAC addressed were learned. |
There are no local switch features for this release.
You can configure PoE settings in Sophos Central at both the site and switch levels.
You can set the global PoE power budget or adjust individual settings for each port.
You can turn PoE keepalive on and off and configure it for each port.
There are no resolved issues included in this release.
There are no local switch features for this release.
You can configure loopback detection in Sophos Central on Switch management > Port Settings. To prevent loops, the switch sends loopback packets and shuts down any ports that receive a loopback packet from itself.
DoS configuaration is now available in Sophos Central on Switch management > Security. This lets you configure your switches to protect from common denial-of-service attacks.
You can configure the log settings for RAM logs flash logs in Sophos Central. This lets you choose the severity level of messages that appear in the logs.
There are no resolved issues included in this release.
There are no local switch features for this release.
Smart logging is now available in Sophos Central under Switch management > Diagnostics > Sophos error reporting. This feature sends agent logs to Sophos Central in the event of any of the following failures:
Smart log forwarding is turned on by default. The logging information sent to Sophos Central only contains communication events between switches and Sophos Central. They don't include configuration or network-related data.
There are no resolved issues included in this release.
There are no local switch features for this release.
Sophos Central FSC regions (Australia, Brazil, Canada, India, and Japan) now support Sophos Switch.
There are no resolved issues included in this release.
There are no local switch features for this release.
You can now add MAC filtering entries from Sophos Central and view synchronized entries.
You can now view Address Resolution Protocol (ARP) statistics from Sophos Central.
| Issue ID | Component | Description |
|---|---|---|
| NSW-5967 | Central | Backups can now be paused and resumed. |
| NSW-5945 | Central | The first full sync now succeeds even if a switch is moved to a different site while it's registering. |
| NSW-5574 | Central | A QoS policy created at the site level can now be successfully deleted at the switch level. |
| NSW-5558 | Central | An error no longer appears in the changelog when modifying or deleting an access list from switch level that was created at the site level. |
| NSW-5457 | Central | The correct Static ports appear in MLD Snooping when selecting ports used in LAG. |
There are no local switch features for this release.
Sophos Switches registered with Sophos Central with a valid support services license can access the Active Threat Response (ATR) feature. The ATR API ingests threat feed data allowing MDR analysts and network administrators to quickly isolate malicious hosts across the network.
From Sophos Central, an administrator can view an Active Threat Response page and turn the Active Threat Response on or off for Sophos Switches. The ATR page also lists the isolated hosts across all Sophos switches and AP6 access points managed in Sophos Central.
The Active Threat Response APIs are available on Sophos Central. For information on how to access and use APIs from Sophos Central, see Sophos Central APIs. The APIs can enable third-party integrations and workflows to swiftly isolate malicious activity at the network access layer. We're always interested in how third-party integrations are deployed, so please send us feedback regarding your custom integrations.
To view the Switch Management APIs, see Switch Management API.
Sophos Switch diagnostics in Sophos Central have been enhanced with the following new features:
You can now view the RAM and flash logs from the Sophos Switch on the RAM logs and Flash logs tabs on the Diagnostics page.
There are no resolved issues included in this release.
There are no local switch features for this release.
You can now view the ARP table and create entries from Sophos Central. See Discovery.
You can now view the MAC table and create entries from Sophos Central. See Discovery.
You can now view the Neighbour table from Sophos Central. See Discovery.
There are no resolved issues included in this release.
You can now configure a TACACS+ server for authentication. See TACACS+ server.
You can now use a configured TACACS+ server for 802.1X authentication. See 802.1x.
You can now use Root and BDU guards with STP. See STP.
You can now view per-port statistics using the realtime meters. See Realtime meters.
There are no new Sophos Central features in this release.
There are no resolved issues included in this release.
There are no local switch features for this release.
You can now configure SNMP settings from Sophos Central. See SNMP.
You can now configure Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) from Sophos Central. See Discovery.
There are no resolved issues included in this version.
There are no local switch features for this release.
You can now configure advanced port settings from Sophos Central. See Port settings.
You can now configure your voice VLAN from Sophos Central. See VLANs.
No resolved issues: There are no resolved issues included in this version.
There are no local switch features for this release.
You can now take and restore configuration backups from Sophos Central. See Backup.
No resolved issues: There are no resolved issues included in this version.
There are no local switch features for this release.
You can now fully manage QoS settings per switch or per site from Sophos Central. See Quality of service (QoS) management from Sophos Central.
No resolved issues: There are no resolved issues included in this version.
The key addition in this release is MAC Address Bypass (MAB). This feature extends the existing 802.1x functionality by allowing 802.1x MAC-based authentication bypass (MAB). With this Sophos Switch can authenticate one or more connected hosts using the host MAC address as the account information for authentication. Each host connected to a Sophos switch port with MAB enabled is authenticated individually based on the host's MAC address. Any traffic from hosts that aren't authorized is dropped.
For customers who purchased Support and Services subscription for Sophos Switch, the support activation was not yet integrated into Sophos Central. We are now beginning the process to fully integrate and enforce Support and Services, allowing you to seamlessly manage your switch support subscriptions alongside your other Sophos products.
There are no Sophos Central features added in this release.
| Issue ID | Component | Description |
|---|---|---|
| NSW-25143 | Switch | Special characters are now supported within the SNMP password field. |
| NSW-2513 | Switch | From the terminal administrators can now upload an SSL certificate and private key. |
| NSW-2512 | Switch | Removed support for weak encryption ciphers (3DES-CBC, AES128-CBC, AES256-CBC) for SSH access. |
| NSW-2032 | Switch | The VLAN name can now include special characters that include “- “, “_”, and spaces. For example, you can configure the VLAN as follows, "vlan-100.” |
| NSW-3476 | Switch | An issue was addressed that prevented 802.1X authentication from working properly when certificates were used as part of the authentication. |
| NSW-3410 | Switch | Doing an SNMP walk request causes the Sophos switch to go into a reboot loop. |
| NSW-2843 | Switch | The error message displayed when adding more than the supported number of VLANs was updated to now display “System networks (IPv4): Max limit reached. A maximum of 3 VLANs are allowed with IP address.” |
| NSW-2815 | Switch | An issue was seen where creating a LAG between Sophos switches was not working correctly. |
| NSW-2694 | Switch | In the local switch GUI the CDP neighbor details display an incorrect firmware version. |
| NSW-2675 | Switch | The TFTP backup restore fails when executed from the local GUI. |
| NSW-2445 | Switch | An intermittent issue has been seen where the Sophos switch stops forwarding traffic. |
| NSW-2230 | Switch | CDP v2 does not work properly between a Sophos switch and a Cisco switch. |
| NSW-1832 | Switch | Added description information to the CLI to explain the password configuration rules. |
| NSW-1790 | Switch | The power budget is displayed as 0w when the power budget is configured using a decimal value from the local switch GUI. |
| NSW-1569 | Switch | The local switch GUI did not display VLAN names correctly when a dash or underscore was used in the name. |
| NSW-1301 | Switch | From Central the Sophos switch redirect links are not navigating to the specific page in the local switch GUI. |
| NSW-810 | Switch | SSH without the -c option does not work properly. |
There are no local switch features present in this release.
With IP networks, you can assign IP addresses to up to 3 VLANs, configure the management VLAN IP address from Sophos Central, and use the switch as a gateway for selected VLANs.
If you're using your Sophos Switch as a gateway for any VLANs that don't have a DHCP server present, the switch can act as a DHCP relay, sending requests to the DHCP server of your choice.
If you're using your switch as a gateway device, you may prefer to route some traffic to gateways other than the default gateway. Static routes allow you to create more direct routing paths when you need it.
Protect against rogue DHCP servers on your networks by enabling and configuring DHCP snooping.
Optimize multicast traffic flows and protect against packet flooding with IGMP and MLD snooping, to direct multicast flows to only interested listeners.
| Issue ID | Component | Description |
|---|---|---|
| NSW-2509 | Switch | Improved error message to be more understandable when firmware updates fail due to connectivity issues. |
Global search in the switch local UI allows an admin to enter keywords in the search field and will then list all matching entries containing that keyword. Clicking on one of the search results will take you directly to the configuration page, making navigation faster and simpler.
MAC-Address Filtering (MAF) allows you to block traffic from a specific VLAN-MAC combination. Only the unicast MAC address can be configured in a MAF entry. Multicast and broadcast addresses are not supported in this function.
The host IP address can restrict access permission via source validation for security issues. IP source guard is a per-interface traffic filter that permits all IP packets, except for DHCP, only when the IP address and MAC address of each packet match one of two sources of IP and MAC address bindings (DHCP snooping table and static IP source entries that you configure).
Cisco Discovery Protocol is a layer 2 protocol developed by Cisco Systems to show device information between Cisco machines. After enabling CDP, devices can view information of connected Cisco/CDP-supported devices, send CDP packets for neighbors to recognize the Sophos switch, and further improve the convenience of management on devices manufactured by different companies.
The VLAN 0 priority tagging feature enables 802.1Q Ethernet frames to be transmitted with the VLAN ID set to zero. These frames are called priority-tagged frames. Setting the VLAN ID tag to zero allows the VLAN ID tag to be ignored and the Ethernet frame to be processed according to the priority configured in the 802.1P bits of the 802.1Q Ethernet frame header. The priority-tag ingress filtering function would ignore packets with the priority-tag to defend against attack packets using VLAN 0.
PoE Port Reset is used to manually reset the PoE power supply of a specific port. After PoE power is turned off (CLI CMD: power reset), power will resume after the specified 'power reset interval' has passed. This feature can be used from the CLI mode by setting custom power reset intervals for each port and connected PoE devices will be powered on after specific intervals.
This feature allows you to combine multiple Ethernet/SFP links into a single logical link between two network devices for greater throughput and high availability. Admins will be able to configure LAG groups from Sophos Central at the site level and switch level, along with other port settings in Sophos Central.
There aren't any bug fixes in this release.
See Sophos Switch Known Issues list for a full list of known issues with Sophos Switch.
You can find technical support for Sophos products in any of these ways:
Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.