Version 20.0 MR2 Build 378
Released on July 23, 2024
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
New Backup-restore assistant
SFOS 20.0 MR2 introduces the new backup-restore assistant and offers greater flexibility in restoring backups. The version also eliminates all practical restrictions.
Backup-restore assistant: The enhanced backup-restore functionality allows you to see and change the default port mapping in the new assistant. The assistant is available for backups from 19.5 MR4 and later versions restored to 20.0 MR2 and later.
Great flexibility: The following features are available for backups from all supported versions restored to 20.0 MR2 and later:
- Wider model compatibility: You can move from a higher to a lower-capacity appliance model and restore existing backups. For example, you can restore backups from a 1US XG Series firewall model to the desktop XGS 126 model of the more powerful XGS Series firewalls. You can also restore backups among hardware appliances, cloud, virtual, and software firewalls.
- Change the interface mapping: You can change the default interface mapping and map a physical interface to a different one, including higher-speed ports. For example, you can map a 10 GbE port to a 40 GbE port. You can change the parent interfaces of VLAN and LAG interfaces.
- High availability ports: You can restore HA backups to devices with fewer or more interfaces. The dedicated HA link can be on a different port in the target device. See the help page Key interface mapping concepts in 20.0 MR2.
The release eliminates previous limitations that required the target device to have the same number of interfaces and the same dedicated HA link port as the backup.
Backup-restore links
- Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
- Watch the video Backup-restore enhancements.
- See the help page Restore backups to 20.0 MR2.
Other security and flexibility enhancements
- More transparent AD SSO experience when HSTS is enforced, enabling the Kerberos or NTLM handshake to take place over HTTP or HTTPS.
- Improved interactions with an Active Directory domain when a high availability failover occurs.
- Enhanced Web Protection performance with reduced system load when enforcing SafeSearch, YouTube restrictions, Google App login domain restrictions, and Azure AD tenant restrictions.
- Cipher compliance: You can set your security balance for cipher compatibility or audit compliance (PCI) by customizing the allowed cipher suites. Read the knowledgebase article TLS 1.1 and cipher support in captive portal and web proxy.
Version 20.0 MR1 Build 342
Released on May 15, 2024
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
Important points to know before you upgrade
SSL VPN compatibility for 20.0 MR1 and later with EoL SFOS versions and UTM9 OS
OpenVPN has been upgraded to 2.6.0 in this version. Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:
- SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1 and later. We recommend that you upgrade both firewalls to 20.0 MR1 and later versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
- Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels. See Remote access SSL VPN with the Sophos Connect client. See Remote access IPsec VPN.
- UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1 and later versions. We recommend that you migrate these to 20.0 MR1 and later versions. Alternatively, you can use site-to-site IPsec or RED tunnels.
For site-to-site IPsec tunnels, see Route-based VPN. For RED tunnels, see Site-to-site RED tunnel.
End-of-life RED devices
20.0 MR1 and later versions won't support the following legacy RED devices: RED 15, 15w, and 50. They have been declared end-of-life in 2023. For more details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.
LINCE certification
You can configure the following Sophos Firewall platforms to use a cryptography library that meets Spain's National Essential Security Certification (LINCE):
- XGS series hardware appliances
- Cloud, virtual, and software firewalls
For more details, see the help page National Essential Security Certification (LINCE).
Device access and Local service ACL exception rules
Device access: This release offers enhancements to the device access grid for access from zones to certain services. The grid has also been grouped to offer intuitive configurations and granular control:
- IPsec and RED: IPsec and RED services are available on Device access to allow or block traffic based on zones. For example, you can block access to RED service from WAN while allowing access from other zones.
- VPN services: IPsec, SSL VPN, VPN portal, and RED are grouped under VPN services.
Local service ACL exception rule:
- List view: The list view of exception rules provides detailed information, such as source, destination, service, and action, with full visibility into the rules, eliminating the need to open the rule to check information.
- Services: All the services in the device access grid are now available under services in the exception rule, including RED and IPsec services, offering granular control. For example, you can create an exception rule to allow or block VPN on a specific interface when the service is allowed from WAN. You can also specify the country and IP address, dropping VPN requests from specific countries, such as China, and allow VPN traffic from known FQDNs. The additional services available in exception rules are AD SSO, RADIUS SSO, Captive portal, Client authentication, Chromebook, Wireless, SMTP, SNMP, RED, and IPsec.
- Additional object types: The object types, FQDN host, FQDN host group, MAC address, and MAC address list, are available for selection in source and destination hosts, eliminating the need to update dynamic IP addresses in local ACL exception rules.
SD-WAN enhancements for scalability
- Scalability: This version brings 4x improvements in the gateway availability time during HA failover and device restart, ensuring minimal traffic disruption.
- Detailed information view: SD-WAN routes show important gateway information, such as IP address, interface, and name, when you hover over the gateway while configuring the route.
VPN enhancements
SSL VPN
- OpenVPN 3.0: Sophos Firewall is now compatible with OpenVPN 3.0 clients. Users can download the compatible configuration file from the VPN portal.
IPsec VPN
- Phase I ciphers: The GCM suite-B ciphers, AES256GCM16, AES192GCM16, and AES128GCM16, are available for Phase I IKEv2 tunnels, offering better throughput and greater interoperability with third-party devices.
- System-generated traffic: CLI commands are available to prevent system-generated traffic from flowing through policy-based IPsec tunnels when the remote subnets are set to Any. For details, see the routing commands.
- The firewall now uses the upgraded strongSwan version 5.9.11.
DHCP enhancements
- IPv6 DHCP prefix delegation: The firewall requests the preferred prefix from the ISP each time you update the interface configuration or when the firewall restarts.
- DHCP lease time: DHCP clients will make renewal requests at 30 seconds if the lease interval's half-time is 30 seconds or less, ensuring continuous WAN connectivity.
- Boot options: DHCP now supports boot server and boot file options in the DHCP header. You can also continue to send the parameters through specific DHCP options to provision network devices.
Logging enhancements
- Download log files: You can download individual log files from the web admin console on the Diagnostics page under Troubleshooting logs. The Consolidated Troubleshooting Report (CTR) continues to have all the log files.
- Default log lines in CTR: The default number of log lines for log files in the Consolidated Troubleshooting report is now 10,000.
- Syslog delimiter: You can customize the delimiter in syslog event messages, offering flexibility in managing log data.
True Zero Touch configuration
TPM-based True Zero Touch is available to remotely deploy firewalls in branch offices through Sophos Central. You'll specify the firewall configuration in Sophos Central. The remote firewall administrator connects the firewall to the internet and turns it on. The firewall connects to Sophos Central, downloads and applies the configuration, and then registers with Sophos Central. For more details, see the Sophos Central help.
RED
SD-RED now supports bridge configuration for WAN interfaces with the RED tunnel.
Other enhancements
- Generative AI assistant: The firewall now provides assistance using Generative AI through Sophos Assistant with dynamic help and configuration steps.
- Automatic language detection: The web admin console and user portal automatically select and store the browser's preferred language for languages the firewall supports, offering a seamless sign-in experience.
- Custom gateways: Custom gateways now support the link-local address.
- Data optimization in Synchronized Application Control: The firewall only retains the recent five occurrences for each application detected by SAC per endpoint.
- IPv4 internet host group: Updated the default public IPv4 host ranges to contain all the public IPv4 address ranges.
- Object descriptions: Added description fields for IP, MAC, FQDN, and service objects.
- Country list: Updated the country list.
- Web: In the web proxy, we've refined the Pharming protection feature to address a potential vulnerability arising from modifications to the destination IP address during proxy DNS resolution. With the updated behavior, the firewall policy will now undergo re-evaluation using the DNS-resolved IP address from Pharming protection.
- XML API: 20.0 MR1 and later versions don't support the XML API version for the end-of-life versions 17.5 and 18.0. If the APIVersion tag you use shows old versions, change the tag to the supported API versions.
Version 20.0 GA Build 222
Released on November 06, 2023
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
Active threat response
Active threat response integrates Managed Detection and Response (MDR) threat feeds with Sophos Firewall. Synchronized Security extends to Active threat response, enabling the firewall to automatically shut down active threats in the network.
MDR threat feeds
Active threat response brings the MDR service to Sophos Firewall through MDR threat feeds. Security analysts from the Sophos MDR team (or your XDR SOC team in the future) can share threat intelligence related to your network, pushing active threat information in real time to the firewall. Based on the threat feeds, the firewall automatically blocks traffic, including DNS requests and HTTPS traffic, from any host in the network that tries to communicate with malicious IP addresses, domains, or URLs. Additional rules and policies aren't required for the Active threat response action. Watch the video Active threat response with MDR threat feeds.
Synchronized Security: Active threat response extends Synchronized Security with its automated response based on RED Security Heartbeat to MDR threat feeds in the firewall. Based on the threat feed, the firewall automatically queries any Sophos-managed endpoint attempting to communicate with malicious servers for additional information, such as the host, user, and process, which enables you to determine any Indicators of Compromise (IoC). It prevents compromised endpoints from moving laterally or communicating outward, shutting down active threats in the network.
The release enhances Synchronized Security with added scalability and reduced false missing heartbeats for endpoints in sleep or hibernate status.
Dynamic threat feeds
Sophos X-Ops threat feeds: Advanced threat protection has been renamed Sophos X-Ops threat feeds. It offers periodic updates of threat feeds from SophosLabs.
Extensible framework for dynamic threat feeds: Active threat response introduces a new extensible API framework for dynamic threat feeds in the firewall. The framework enables the following threat intelligence to be shared with the firewall:
- Sophos products and services, such as Sophos X-Ops and MDR threat feeds.
- Third-party threat feeds in a future release.
Network scalability and resiliency for distributed enterprises
The release offers VPN, IPv6, and SD-WAN enhancements with scalability, security, and interoperability.
VPN enhancements
- VPN portal: A new, hardened, and highly secure, containerized self-service VPN portal is available for remote access VPN users. It contains remote access downloads, such as the Sophos Connect Client and configurations, and performs auto-provisioning for remote access VPN connections. It also contains clientless VPN bookmarks.
These services are no longer available in the user portal, minimizing the need to expose the user portal to WAN and tightening its security. To maintain compatibility, the VPN portal is available by default on the previous user portal port (443). It can share a common port with WAF or SSL VPN. The user portal now uses port 4443 by default. See the help for Port sharing among services.
For migration details and how port settings apply from Sophos Central, see the knowledge base article New VPN portal in SFOS 20.0 and later.
- FQDNs in SSL VPN: Fully qualified domain name (FQDN) host and group support is available for remote access and site-to-site SSL VPNs. You can select these under permitted, local, and remote networks.
- IPsec VPN:
- Stateful HA failover: Seamless transition for route-based, policy-based, and remote access VPNs without losing tunnel connectivity during high-availability failover. Also supports seamless connection failover for stateless protocols with minimal packet loss.
- SNMP monitoring for tunnel status: Added MIB entries to monitor the following IPsec VPN tunnel statuses through SNMP: activate, deactivate, connected. You can download the new MIB file from the web admin console.
- Multiple remote gateway support for route-based VPN: You can enter a wildcard address (*) for the remote gateway in route-based VPNs. This eliminates the need for explicit DDNS or FQDN configuration in dynamic gateway IP deployments.
- Unique preshared keys: You can have unique preshared keys (PSK) for VPN connections with the same local and remote gateway settings if you use IKEv2 profiles and configure a unique set of local and remote IDs.
- DH groups 27 to 30: DH groups 27 to 30 are available for IKEv2 IPsec profiles based on RFC 6954.
Watch the video VPN enhancements.
IPv6 DHCP prefix delegation and BGP, SD-WAN
- IPv6 DHCP prefix delegation: Seamless integration with DHCP prefix delegation by ISPs for internal networks. This automates the assignment of IPv6 prefixes to internal subnets, simplifying network setup and reducing manual configuration. Watch the video DHCP prefix delegation.
- BGP IPv6: Enhancements to the dynamic routing engine now support BGPv6 for improved IPv6 interoperability. Watch the video IPv6 dynamic routing in Border Gateway Protocol.
- SD-WAN scalability: Increased scalability for SD-WAN gateways by 3 times to 3072 gateways and the number of SD-WAN profiles to 1024.
SASE and remote worker protection
In cloud-hosted network security services delivering key remote worker and branch office protection capabilities, ZTNA, SD-WAN, and DNS protection have been integrated into Sophos Firewall (both on-premise and cloud-hosted).
- ZTNA Gateway: Sophos ZTNA Gateway is now available in Sophos Firewall, greatly simplifying ZTNA deployment. You can use ZTNA as a replacement for remote access VPN with higher security, seamless scalability, easier management, and a more transparent end-user experience.
- Direct integration in Sophos firewall: The ZTNA gateway is directly integrated into the firewall, eliminating the need for a separate gateway on a VM for remote access to systems and applications hosted behind the firewall. You don't need to deploy additional applications on your network to support ZTNA secure access. You only deploy a single agent on the remote endpoint.
- Free trial: ZTNA free trial is available in Sophos Central. You can use this trial to explore ZTNA and manage the firewall or internally hosted systems and applications with high security.
- SD-WAN backbone on-ramping: We built SD-WAN partnerships with top-tier SD-WAN backbone providers to enable smooth and easy on-ramping of local SD-WAN traffic to these high-performance global networks. Sophos Firewall connects seamlessly to these networks, enabling high-performance connectivity and routing, as well as access to their SASE security services. These SD-WAN backbone providers are as follows:
- Akamai SIA integration: With the Akamai Secure Internet Access (SIA) integration, you can on-ramp traffic from Sophos Firewall to Akamai SIA SSE (Security Service Edge) using redundant and resilient SD-WAN over route-based IPsec VPN tunnels. For configuration details, see the recommended read Connect Akamai SIA and Sophos Firewall.
- Cloudflare Magic WAN integration: You can on-ramp traffic from Sophos Firewall to CloudFlare Magic WAN using redundant and resilient SD-WAN over route-based IPsec VPN or GRE tunnels. For configuration details, see the recommended read Connect Cloudflare Magic WAN and Sophos Firewall.
- Azure Virtual WAN: Integration with Azure Virtual WAN offers Sophos Firewall protection to applications and network traffic flows along with scalable SD-WAN connectivity to deploy the Microsoft Global Network as a secure enterprise WAN backbone. For configuration details, see the recommended read How to Integrate Sophos Firewall with Azure Virtual WAN (Secure SD-WAN).
- Sophos DNS protection: Sophos Firewall fully supports the upcoming release of Sophos DNS protection, a new cloud-delivered web security service. Sophos DNS Protection delivers a new domain name resolution service (DNS) with compliance and security features hosted by Sophos. The service provides an additional layer of web protection, preventing access to known compromised or malicious domains across all ports, protocols, and applications, including encrypted and unencrypted traffic.
The new Sophos DNS protection service will soon be available for early access.
Quality of life enhancements
- Turn interfaces on or off: Turn interfaces on or off while retaining their configurations. The turned-off status appears on the Control center.
You can't turn off alias or tunnel interfaces and members of a LAG or bridge interface, but you can turn off the entire LAG or bridge interface.
- Object reference lookup: You can see the usage count of all host and service objects and the list of all locations where the object is in use, such as in rules, policies, and routes. You can edit or remove objects from the object list without going to the location for many locations.
- High resolution for web admin console: The web admin console now uses a high-resolution display, delivering a scalable user interface. Tables use the Full HD width (1920 pixels) to show more information, reducing the need to scroll horizontally.
- Automatic rollback for failed firmware updates: If a firewall, including high-availability devices, can't complete a firmware upgrade, the firewall (or the cluster) is automatically rolled back to the previous firmware version. An alert appears in the Control center.
- Backup-restore: You can restore backups from a firewall with integrated Wi-Fi to a firewall without integrated Wi-Fi. You must remove the wireless networks in the firewall before taking the backup.
- Microsoft Entra ID (Azure AD) SSO: Watch the video Captive portal SSO and group import.
- Captive portal: Microsoft Entra ID (Azure AD) SSO now supports user authentication through the captive portal. Version 19.5 added Azure AD SSO authentication for the web admin console.
- Import groups: You can use the new import assistant to import all Microsoft Entra ID (Azure AD) groups or those that match the attributes you specify from Azure Portal. This eliminates the need to create groups manually in the firewall.
- Automatic Azure RBAC: Introduces Role-based Access Control (RBAC). If you change a user's role in Azure Portal, the firewall automatically applies their new role when they next sign in. It also applies the profile and privileges that apply to the new role.
Watch the video Quality of life enhancements.
Web Application Firewall (WAF)
- Geo-IP policy enforcement: You can block users from accessing resources protected by WAF from the countries you specify or IP addresses that can't be associated with a specific country.
- Custom ciphers and TLS version settings: Enables the use of more secure ciphers while excluding less secure ciphers.
- Improved security: Adds HTTP Strict Transport Security (HSTS) for HTTPS enforcement in the client (browser) and X-Content-Type-Options enforcement to provide MIME-type sniffing protection.
Azure enhancements
Azure Single Arm Deployment Support: For Microsoft Azure public cloud deployments, you can choose a smaller instance size with single arm deployments and save your infrastructure costs. This reduces network and operational complexity.
Resolved issues
Version 20.0 MR2 Build 378
Issue ID | Component | Description |
---|---|---|
NC-131391 | Authentication | L2TP authentication isn't working with Windows Automatic Logon enabled in VPN adapter. |
NC-132907 | Authentication | Access server coredump user disconnection. |
NC-127665 | CDB-CFR, CM | Firewall shows disconnected status on Sophos Central after the firewall restarts. |
NC-136645 | Certificates | Certificates from Starfield Secure Certificate Authority - G2 were untrusted in 20.0 MR1. |
NC-127253 | Clientless Access | HTTP Host header injection in VPN portal. |
NC-132845 | CSC | Log viewer shows a blank username field when a user is deleted in virtual firewall. |
NC-130879 | DHCP | DHCP relay fails intermittently, and clients no longer receive an IP address. Changing the DHCP relay configuration makes it work again. |
NC-136246 | DHCP | DHCP server doesn't start when Boot options are configured with URL. |
NC-126576 | Greylisting doesn't work. | |
NC-128229 | Turning on SPF check isn't an option to block spoofed emails of the internal domain. | |
NC-131106 | Inbound email isn't delivered to the mailbox when SMTP scanning is on in legacy mode. | |
NC-132557 | HA synchronization issue for email encryption SPX template. | |
NC-133157 | Unable to send backups using Amazon SES. | |
NC-135882 | Regression in IMAP proxy. | |
NC-134783 | Firewall | Unable to see IP Host or MAC host in the firewall. |
NC-136153 | Firewall | Local ACL exception rule doesn't work for SMTP relay. |
NC-136681 | Firewall | Unable to access the web admin console of remote firewall with site-to-site VPN using NAT. |
NC-125024 | Firmware Management | Incorrect pop-up message while updating a standalone HA device. |
NC-131100 | Firmware Management | SNMP server shows 100 percent /tmp/npu_diag usage. |
NC-132862 | Firmware Management | SSH Terrapin prefix truncation weakness (CVE-2023-48795). |
NC-135340 | Firmware Management | Restrict parallel firmware upgrade flows. |
NC-130404 | HA | License issue in auxiliary device in active-passive HA pair. |
NC-135699 | HA | Firewall web admin console doesn't respond on HA page. |
NC-133495 | Interface Management | Can't turn off Port1 if web admin console language is set to German. |
NC-136619 | Interface Management | udhcpc isn't sending a renew request with a low lease time of 40 seconds. |
NC-132542 | IPS-DAQ | Memory allocation failure in jumbogram causes IPS log to grow in GBs. |
NC-135467 | IPsec | Unable to connect IPsec tunnel when the port is turned off, and the local gateway is changed to an active port. |
NC-136651 | IPsec] | Charon high CPU for IPsec passthrough traffic. |
NC-133699 | Localization | German language errors in the firewall. |
NC-129242 | Logging Framework | Notification plugin reconfiguration failure causes crash in fca_output. |
NC-136693 | Logging Framework | Control center doesn't show bandwidth utilisation by interfaces. |
NC-133375 | Logging Framework (Central Reporting) | Garner doesn't respond. |
NC-128941 | NFP-Firewall, XGS-IPsec | Traffic doesn't flow through IPsec tunnel when ipsec-acceleration> is on. |
NC-137333 | Service Object | Missing entries for Services on web admin console after changes were made. |
NC-132821 | Static Routing | Staticd service stopped after upgrading the device to 19.5 MR4. |
NC-135342 | SupportAccess | Support access isn't working after a restart. |
NC-131365 | UI Framework | DNS server IP address in DHCP server configuration changes unexpectedly in the XG web admin console. |
NC-131782 | WAF | After a second HA failover, GeoIP settings in WAF rules are lost. |
NC-100895 | Web | Unable to remove URL from web category when URL contains "\" backward slash character. |
NC-113504 | Web | Unable to add a second URL with the same parent domain. |
NC-115849 | Web | Zero-day protection page doesn't load if filename ends in percent. |
NC-131685 | Web | HTTPS error 502 while browsing URL cosmopolitan.com in legacy web proxy mode due to trailers. |
NC-131687 | Web | HTTPS error 502 while browsing URL scottdirect.com in legacy web proxy mode because header size was greater than 8k. |
NC-128897 | WebInSnort | Previously allowed applications get blocked. |
NC-132126 | Wireless | Wi-Fi separate zone doesn't match the firewall rule. |
NC-131582 | XGS BSP | No traffic except on the management port after a restart. |
NC-132065 | XGS BSP | SFP ports don't respond after an upgrade to 20.0. |
Version 20.0 MR1 Build 342
Issue ID | Component | Description |
---|---|---|
NC-77828 | API Framework | Unable to import user activity that contains web categories with special characters. |
NC-122760 | AppFilter Policy | Unable to update or push app filter policy from Sophos Central. |
NC-120582 | Authentication | Updated the log message for brute force sign-in event. |
NC-120484 | WebInSnort | Firewall stops responding because of out-of-memory issue. |
NC-120875 | Authentication | AD group import fails when username has special characters. |
NC-121619 | Authentication | Admin access to the web admin console gets blocked after two wrong attempts when MFA is on. |
NC-124603 | Authentication | When the primary user group ID is greater than 9999, captive portal disconnects within 5-10 seconds of signing in. |
NC-124684 | Authentication | Static IP address isn't released sporadically for SSL VPN users. |
NC-127830 | Authentication | RADIUS users who aren't part of VPN group are able to connect to SSL VPN. |
NC-128138 | Authentication | Captive portal with custom code isn't working properly. |
NC-131097 | Authentication | When the AD server connection flaps, ldap_bind blocks for 30 minutes, resulting in time-out and failure of new authentication requests. |
NC-131290 | Authentication | Web admin console sign-in error when Azure AD SSO is used: Firewall is starting. |
NC-125264 | Azure | Firmware upgrade of SFOS on Azure to 20.0 GA fails and results in a single NIC if it was configured with three or more NICs. |
NC-124919 | CDB-CFR, CM, CM (Zero Touch) | Firewall's web admin console shows the ZT and CZT wizard even after ZT and CZT are completed because nvram flag isn't reset. |
NC-119857 | CM | Firewall's Web admin console stops responding on the Sophos Central page. |
NC-124391 | CM | VPN tunnel flaps between the firewall and a third-party firewall. |
NC-129249 | CM, Core Utils | Fixed vulnerabilities in libssh2 CVE-2023-48795 for Sophos Central services. Upgrade to SFOS 20.0 MR2 for the full fix to all firewall services. |
NC-127120 | Core Utils | Fixed NPU log error. |
NC-126965 | DHCP | Firewall stops logging DHCP logs, and Garner service doesn't respond and can't be restarted. |
NC-128820 | DHCP | DHCP server configured with relay agent request with All interface selection doesn't work after migration or restoring a backup. |
NC-129171 | DHCP | DHCP stopped working after upgrade from 19.5.3 to 20 GA. |
NC-117690 | DHCP | DHCP Next server and Boot file ignored PXE Boot DHCP options 66 and 67. |
NC-116339 | Wireless | Hostapd service stops responding after wireless network is added to the access point group. |
NC-126738 | Interface Management | HA isn't established with VLAN over unbound interface as dedicated link. |
NC-125076 | Dynamic Routing (BGP), Dynamic Routing (OSPF) | Zebra continuously restarts when configuration contains a gateway IP address that's actually the broadcast IP address. |
NC-120967 | Inbound and outbound emails are delayed after firmware is upgraded to 19.5.2. | |
NC-121980 | Users receive duplicate emails. | |
NC-122260 | Two email addresses in Return-Path: and From: Header after you release and report emails from Quarantine digest in SFOS 19.5.1 and 19.5.2. | |
NC-123889 | High CPU usage by warren after upgrade to 19.5.3. | |
NC-124266 | Notification emails are getting stuck in mail spool when there is smarthost with RED tunnel setup. | |
NC-124453 | Not able to see, release, or delete emails from SMTP quarantine. | |
NC-125084 | DKIM isn't working as expected. | |
NC-133277 | Email, WAF | UX issue for DH group in IPsec profiles. |
NC-119893 | Firewall | SFOS is accessible to requests from another network for network and broadcast IP addresses. |
NC-123538 | Firewall | MAC filter spoof check doesn't work. SPOOF_CHECK chain entry is missing. |
NC-123249 | Wireless | Access points remain offline if device is restarted after turning off the Wireless Protection option. |
NC-124012 | Firewall | NAT rule isn't marked even after an upgrade to 19.5.3. |
NC-124251 | Firewall | RED service doesn't respond. |
NC-124551 | Firewall | Firewall rules don't work after upgrade from 18.5.3 to 19.5.3. |
NC-127532 | Firewall | Logviewer shows source IPv6 address in dst_trans_ip field for IPv6 hairpin NAT. |
NC-120434 | Firmware Management | Discrepancy in HA role status. |
NC-125791 | Firmware Management | High SWAP memory issue for a virtual appliance. |
NC-132224 | Firmware Management | Upgrade to 20.0 failed on XGS 87 with Invalid firmware error. |
NC-118929 | HA | msyncd stops tracking events and doesn't start tracking again. |
NC-120730 | HA | HA failover results in missing configurations. |
NC-124105 | HA | Configuration changes show the following error: The Operation will take time to complete. The status can be viewed from the Log viewer page. |
NC-128183 | Hardware | Flexi module port doesn't work on XGS 2100 after the firewall restarts. |
NC-122885 | Import-Export Framework | Unable to export user configuration in 20.0.1. |
NC-124721 | Interface Management | Firewall stops responding and requires a restart. |
NC-133495 | Interface Management | Can't turn off Port1 if the web admin console language is set to German. |
NC-119561 | IPS-DAQ | Inject buffer leak causes traffic outage. |
NC-124957 | IPS-DAQ | FIN and RESET packets leave WAN interface with LAN IP address information. |
NC-125294 | IPS-DAQ-NSE | Firewall drops reset packet in LAN-to-LAN communication when DPI is on. |
NC-130365 | IPS-DAQ-NSE | Slower download speed for TLS-inspected traffic from some servers. |
NC-121370 | IPsec | Memory usage of XG 230 has been increasing since it was upgraded to 19.5.1-Build 278. |
NC-123233 | IPsec | IPsec SA establishment is sporadically interrupted. |
NC-123230 | Wireless | LocalWiFi status isn't correctly reflected on the access points page. |
NC-124464 | IPsec | strongSwan service fails to start after HA failover. |
NC-127177 | IPS Engine | IPS logs aren't generated in Log viewer. |
NC-125251 | IPS Ruleset Management | Count issue related to firewall rules with IPS for read-only administrator profile. |
NC-68574 | Logging Framework | Logs with Central Reporting enabled are sent to unreachable syslog server at 127.0.0.1. |
NC-117777 | Logging Framework | Network traffic report calculation shows different values at different times. |
NC-118327 | Logging Framework | Syslog format Standard Syslog Protocol logs with key log_id as both number and string. |
NC-122033 | Logging Framework | WAN interface graph shows incorrect values for historical data collected five minutes before or after the hour limit. |
NC-123602 | Logging Framework | /conf partition gradually increases in XG 86 and XGS 87. |
NC-123771 | Logging Framework (Central Reporting) | Central Report hub doesn't show the past 24-hour statistics from the firewall because SFOS sends reports to Sophos Central at a low rate. |
NC-124987 | NFP-Firewall | Access to remote network over IPsec VPN stops. Packet capture mitigates the issue. |
NC-125112 | NFP-Firewall | RED tunnel down in 19.5.3. Turning off firewall acceleration resolved the issue. |
NC-128656, NC-128159 | nSXLd, CM | nSXLD times out when the first two DNS servers aren't reachable and the third DNS server is reachable. |
NC-133022 | nSXLd | Fixed the "invalid traveller type" error. |
NC-115843 | PPPoE | Scheduled PPPoE reconnect doesn't work. |
NC-115457 | XGS BSP | Fiber interfaces are taking more time to negotiate in XGS than in XG. |
NC-128072 | PPPoE | Missing PPPoE logs. |
NC-123969 | RED | Primary device automatically restarts and fails over to the auxiliary. |
NC-126941 | RED | For site-to-site RED from XG 106, client doesn't automatically reconnect after the tunnel goes down. |
NC-130949 | RED | Some RED devices went down after firewall firmware was downgraded from 20.0 to 19.5.3. |
NC-122948 | SDWAN Routing | Garner logs are full with SD-WAN route gateway resolution message. |
NC-126363 | SDWAN Routing | A firewall rule isn't matched occasionally. |
NC-127524 | SDWAN Routing | SD-WAN route and default MASQ are applied to system-generated traffic for policy-based IPsec VPN. |
NC-124588, NC-124590 | SecurityHeartbeat, LCD Framework | Certain heartbeat opcodes are always called with the debug details even though csc isn't in debug mode. |
NC-129618 | SecurityHeartbeat | Heartbeat service dead due to malformed MAC address. |
NC-123237 | SSLVPN | Grammar error on the web admin console for route-based VPN connection. |
NC-123723 | SSLVPN | XG 86w doesn't reconnect SSL VPNs after a restart. |
NC-124647 | SSLVPN | Unable to connect to SSL VPN after firmware was upgraded to 19.5.3. |
NC-128468 | SSLVPN | Unable to generate the .ovpn file because of missing server_dn in tblsslvpnglobalconf when custom certificate is used. |
NC-128469 | SSLVPN | Some AD users are unable to download the SSL VPN configuration file from the user portal. |
NC-130692 | SSLVPN | Special characters are replaced with encoded values. |
NC-130938 | SSLVPN | More certificates in .ovpn file than before upgrade. |
NC-131180 | SSLVPN | SSL VPN remote access resources become inaccessible. |
NC-118599 | Static Routing | Static route configuration must prevent configuration of the interface IP address as gateway IP address. |
NC-120986 | Static Routing | When HA is disabled, the previous auxiliary isn't able to update its firmware because of Zebra CLI backend routes. |
NC-119425 | Synchronized App Control | Garner log filled with "usercache_output: cannot resolve appcatid 0". |
NC-119289 | Wireless | Hotspot voucher shows SSID WLAN password after removing SSID encryption from wireless network settings. |
NC-79314 | UI Framework | UX issue on SD-WAN profiles. |
NC-118925 | UI Framework | Failed to restore backup if the backup file name has & in the prefix. |
NC-118913 | Wireless | AP firmware isn't automatically updated after AP pattern update. |
NC-123712 | UI Framework | Web admin console stops responding. |
NC-124188 | UI Framework | Fixed HTTP Host Header Injection in the user portal. |
NC-124909 | VFP-Firewall | Firewall automatically restarted. |
NC-124519 | WAF | Form-based authentication doesn't work after upgrade from 19.5.2 to 19.5.3. |
NC-125102 | WAF | WAF outage several times a day due to a coredump. |
NC-130528 | WAF | Missing WAF parameters in XML API. |
NC-130684 | WAF | Unable to update WAF rule after updating the certificate. |
NC-130710 | WAF | Can't upgrade to 20.0 if a rule template exists with the same name as a new template name. |
NC-81555 | Web | Removing all domains or keywords from a custom category doesn't work. |
NC-124040 | Web | Unable to get proper "Web activity category" report under "Blocked Web attempts". |
NC-125115 | Web | awarrenhttp doesn't start if nasm isn't running. |
NC-127260 | Web | Continuous coredumps are generated. |
NC-128631 | Web | Network outage when downloading files with .hpi extension. |
NC-128520 | Wireless | Unable to restore backup from XG 135w to XGS 2100. |
NC-131591 | Web | awarrenhttp must reconnect to nSXLD after a time-out. |
NC-118893 | WebInSnort | WebInSnort logs RSA key size 3072 as key_param="RSA unknown type" in Log viewer. |
Version 20.0 GA Build 222
Issue ID | Component | Description |
---|---|---|
NC-125331 | Authentication | Azure AD SSO captive portal authentication is stuck when the web proxy listening port isn't 3128. |
NC-125589 | DHCP, DHCP PD | On-link and autonomous settings are turned off in automatically created RA server for delegated interface. |
NC-125595 | DHCP, DHCP PD | Incorrect error message when creating downstream interface with invalid subnet ID. |
NC-124414 | SPX password exposure in plain text (CVE-2023-5552). | |
NC-125369 | Exim libspf2 vulnerability (CVE-2023-42118). | |
NC-125221 | RED | RED doesn't establish site-to-site tunnels when RED server enforces TLS 1.2. |
NC-119334 | Backup-Restore | The backup download button is unresponsive. |
NC-118460 | Dynamic Routing (PIM) | Clicking PIM-SM interface table shows the error "Unable to read routing information". |
NC-116220 | Awarrensmtp was in failed status, and inbound email wasn't delivered, but a non-delivery report wasn't sent to senders. | |
NC-117638 | Emails are quarantined even if the sender address is added in exception. | |
NC-124102 | Unable to turn off legacy TLS protocols. | |
NC-107708 | Firewall | Firewall restarts automatically (RIP 0010muser_match+0x747). |
NC-120016 | Firewall | Local ACL doesn't work when the name contains the backslash character. |
NC-113034 | Hardware | Lost device access to XGS appliances, and logs aren't available. |
NC-116002 | IPsec, SDWAN Routing | Branch office users unable to receive an email, mail is slow, IPsec traffic is slow. |
NC-122180 | Licensing | Unable to access web admin console due to license synchronization issue. |
NC-122699 | nSXLd | Adding a trailing period at the end of the domain bypasses web policies. |
NC-122511 | RED | Vulnerability detected on port 3400. |
NC-119192 | VFP-Firewall | Slow speed using Virtio NICs. |
NC-119052 | WAF | WAF protection policy's display issue on the web admin console. |
NC-121432 | WAF | The /tmp directory doesn't remove files and runs out of space, causing AV scan failure. |
NC-121415 | Web | AVD stops responding after a pattern update because a thread isn't released. |
NC-119829 | WWAN | Verizon Mifi 4G USB modem (U620L) doesn't work after an upgrade to 19.5 MR2. |
NC-114104 | AppFilter Policy | Application filter policy set to block all applications loses risk criteria when the template is pushed from Sophos Central. |
NC-107481 | Authentication | Log viewer doesn't show the source IP address for authenticated SSL VPN users. |
NC-110927 | Authentication | Missing logs for MFA enable-disable events. |
NC-113532 | Authentication | Can't remove authorizers from the data anonymization setting. |
NC-114057 | Authentication | Match known users option in firewall rule drops traffic because user identity isn't being marked. |
NC-114950 | Authentication | View usage doesn't work when the username has a single quote, and web admin console stops responding. |
NC-116602 | Authentication | Log viewer doesn't show the source IP address when authentication fails for SSL VPN Users. |
NC-116880 | Authentication | When two-factor authentication is on, SSH keys disappear if they're added by an administrator other than the default admin. |
NC-116881 | Authentication | Uploading a certificate when the admin signs in through Azure AD SSO results in a sign-out. |
NC-119049 | Authentication | access_server stops responding due to missing nsgencode multi-thread support. |
NC-119183 | Authentication | Transaction failure for eDirectory authentication server. |
NC-119560 | Authentication | Mandatory firmware update through the setup assistant causes the initial setup to start repeatedly. |
NC-94533 | Certificates | Attribute challenge password prevents the issue of a certificate with No-IP. |
NC-119825 | Certificates | Unable to download the default certificate from Web > General Settings. Results in a sign-out when admin clicks the download button. |
NC-102256 | Clientless Access | VNCFreeRDP stops responding. |
NC-108378 | Clientless Access | Clientless access doesn't work if name contains an umlaut character. |
NC-114627 | Clientless Access | Unable to connect to RDP over clientless SSL VPN if the username contains a space. |
NC-115982 | CM | Alert appears in Sophos Central. "Firewall has not checked in with Sophos Central for the past 5 minutes". |
NC-116312 | CM | Garner thread stuck in Central Management plugin. |
NC-118749 | CM | Specific API call doesn't work. |
NC-119198 | CM | Unable to change the password for admin accounts from Sophos Central Firewall Management. |
NC-120519 | CM | Disable Central Management doesn't work per the firewall's API document. |
NC-108562 | Core Utils | Public key authentication for admin can't be managed through Sophos Central. |
NC-117314 | Core Utils | SWAP memory usage full. |
NC-107388 | DDNS | DDNS logs appear every five minutes. |
NC-111790 | DHCP | Unable to configure or edit interfaces. |
NC-113102 | DHCP | Unable to add static MAC entry for specific DHCP pool. |
NC-109623 | Dynamic Routing (BGP) | BGP-FRR doesn't advertise the configured networks if they aren't available in RIB. |
NC-115369 | Dynamic Routing (OSPF) | OSPF repeatedly flaps when running continuous scan with ICMP echo. |
NC-112492 | Dynamic Routing (PIM) | PIMD service doesn't respond. |
NC-107283 | Awarrensmpt service doesn't respond. | |
NC-108237 | Spam emails are allowed with the error "spam scanning failed, unable to connect local antispam". | |
NC-108450 | Inbound forwarded emails with attachments aren't delivered because of malware scan failure. | |
NC-109625 | Inbound emails from specific domains are quarantined because of DKIM verification failure. | |
NC-110897 | Error logs when using Sophos as AV in web server protection policy. | |
NC-111023 | Legacy email mode stops responding frequently. | |
NC-112128 | Release link settings can't be saved in quarantine digest. | |
NC-113038 | Mail communication stopped working after upgrading to 19.5 GA. | |
NC-113458 | MIME type recognition issues when Zero-day protection is turned on. | |
NC-113547 | Invalid IP address causes error for notification mails. | |
NC-116845 | Fix occasional UT error in mailpoller. | |
NC-116899 | Attachment is allowed even if it's blocked in extension or MIME header. | |
NC-117881 | Antispam service stops responding. | |
NC-120138 | EmailUtilityis_valid_messageid is too strict. | |
NC-101846 | Firewall | Connections fail due to a high number of www in FIN_WAIT. |
NC-108536 | Firewall | Firewall rules stopped working after backup-restore due to failure of XML API through which the firewall rules were created. |
NC-109201 | Firewall | Device goes into Failsafe mode after upgrade. Unable to apply firewall framework. |
NC-112136 | Firewall | RED connection interrupted when firewall acceleration is turned on in XG 310. |
NC-116527 | Firewall | Entities.xml shows a firewall rule that doesn't appear on the web admin console. |
NC-116890 | Firewall | NAT rule doesn't get marked after the firewall restarts. |
NC-116939 | Firewall | Pktcapd bpf filter causing device restart (___bpf_prog_run). |
NC-117063 | Firewall | Allowed child connection is logged as dropped. |
NC-118204 | Firewall, SDWAN Routing | Static multicast packet changes reply destination when SD-WAN policy is applied. |
NC-85114 | Firmware Management | kworker process continuously uses high CPU on XG 450. |
NC-109689 | FQDN | Adding a new FQDN host causes the resolver to restart or stop responding and causes DNS resolution failure during the time. |
NC-111423 | FQDN | FQDN resolving with low TTL (2-5 seconds) is creating an issue with wildcard FQDN host. |
NC-111476 | FQDN | Subdomain learning doesn't work for non-SFOS DNS server set for the client. |
NC-117675 | Gateway Management | WWAN gateway update flow updates incorrect monitorid when wwan-gwid isn't the same as its monitorid. |
NC-109626 | HA | Standalone device restarts. Too many open files. |
NC-106738 | Hotspot | Sort functionality doesn't work properly for hotspot vouchers in the user portal. |
NC-119525 | Hotspot | Valid until time on hotspot sign-in uses UTC instead of local system time. |
NC-120118 | Hotspot | Missing information in hotspot voucher created for users. |
NC-116314 | Interface Management | Unable to delete or make changes to bridge interface. |
NC-98796 | IPS-DAQ | Coredump during DAQ shutdown due to incorrect order of thread stop. |
NC-107329 | IPS-DAQ | Snort shows high CPU usage, resulting in low bandwidth. |
NC-114872 | IPS-DAQ | Certificate-based authentication failing for server with small RX win. |
NC-115019 | IPS-DAQ-NSE | Firewall locks up. Snort core generated. |
NC-119321 | IPS-DAQ-NSE | Slow download speed with SSL/TLS inspection turned on along with malware scanning even if TLS isn't being decrypted. |
NC-107042 | IPsec | IPsec VPN path MTU-related connection issues with IPsec acceleration. |
NC-119047 | IPsec | SSL/TLS inspection doesn't work for VPN users. |
NC-119898 | IPsec | XFRM tunnel remains disabled when both site-to-site and route-based VPNs are up simultaneously on the same local-remote gateway pair. |
NC-114411 | IPS Engine | IPS policy behavior issue in Sophos Central. |
NC-116448 | L2TP | A checkbox isn't visible on the first line for L2TP members. |
NC-112138 | Licensing | Licenses not synchronizing. |
NC-107504 | Logging Framework | Unable to update the pattern file at AirGap sites. |
NC-107975 | Logging Framework | Logging stops on device. Database disk image is malformed. |
NC-110678 | Logging Framework | Live logs aren't being generated in log viewer. |
NC-113004 | Logging Framework | Garner stops responding at init_cache_tree during sync cache. |
NC-114652 | Logging Framework (Central Reporting) | After 7200 files, sending files to Sophos Central stops with error on gzclose. |
NC-108003 | NFP-Firewall | Memory utilization increases until firewall stops responding. |
NC-100418 | nSXLd | Internet down with error "nSXLd Connection timeout while connecting to SXL server". |
NC-115360 | nSXLd | Deleted policy from Sophos Central continues to appear in the firewall. |
NC-117753 | PPPoE | Internet through PPPoE doesn't work after HA failover. |
NC-112058 | RED | Some reports for RED tunnel on XG Firewall don't load. |
NC-112117 | RED | Editing a RED configuration in XG Firewall caused the firewall to become unresponsive. |
NC-112621 | RED | Unable to edit some RED interfaces. |
NC-113005 | RED | RED tunnels restart suddenly. |
NC-117243 | RED | Disable DHE cipher support for RED. |
NC-117786 | Reporting | Security Audit Report score data in email differs from what's shown in the firewall. |
NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN profiles. |
NC-112722 | SDWAN Routing | garner.log is flooded with continuous logs for cache failures. |
NC-114075 | SDWAN Routing | Connectivity issue when using route-based VPN with SD-WAN Routes or profiles. |
NC-107178 | SecurityHeartbeat | Improve license enforcement message for Synchronized Security. |
NC-116531 | SecurityHeartbeat | Can't access resources for some time when Security Heartbeat is configured. |
NC-117680 | SecurityHeartbeat | Ipset hb_green entry removed without cause. |
NC-111441 | SSLVPN | Remote access SSL VPN doesn't work after upgrade. |
NC-112065 | SSLVPN | When Azure AD is used as the authentication type, the Authentication > Services page goes into buffering. |
NC-112211 | SSLVPN | /conf/certificate/openvpn directory is missing. |
NC-114163 | SSLVPN | Connections from LAN to static SSL VPN IP address are routed through WAN on XGS. |
NC-117669 | Firewall | "Invalid TCP state" logs in HA appliances for traffic coming from the auxiliary device. |
NC-120190 | SSLVPN | Site-to-site SSL VPN connections fail due to the absence of serveruser.conf file. |
NC-112370 | Gateway Management | Error while updating failover rules in WAN link manager. |
Known issues
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Upgrading firmware and restoring backups
Upgrading firmware
- Form factors:
- SFOS 20.0 GA and MRs are available on all form factors.
- SFOS 20.0 GA and MRs will be the last firmware versions to support XG and SG Series hardware appliances.
- LINCE: Versions 20.0 MR1 and MR2 are LINCE-compliant. For more details, see the help page National Essential Security Certification (LINCE).
Important points to know before you upgrade to 20.0 MR1 and later versions
SSL VPN
Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:
- SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1 and later versions. We recommend that you upgrade both firewalls to 20.0 MR1 and later versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
- Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels.
- UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1 and later versions. We recommend that you migrate these to 20.0 MR1 and later versions. Alternatively, you can use site-to-site IPsec or RED tunnels.
End-of-life RED devices
20.0 MR1 and later versions won't support the following legacy RED devices: RED 15, 15w, and 50. They have been declared end-of-life in 2023. For more details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.
Versions you can upgrade from
We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
See how to upgrade.
Upgrade from | Upgrade to 20.0 MR2 Build 378 | Upgrade to 20.0 MR1 Build 342 | Upgrade to 20.0 GA Build 222 |
---|---|---|---|
20.0 MR1 Build 342 | |||
20.0 GA Build 222 | |||
19.5 MR4 Build 718 | |||
19.5 MR3 Build 652 | |||
19.5 MR2 Build 624 | |||
19.5 MR1 Build 278 | |||
19.5 GA Build 197 | |||
All 19.0 versions | |||
All 18.5 versions |
Sophos Central: You can schedule firmware upgrades from Sophos Central.
Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 20.0.x only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x doesn't support appliance certificates with this algorithm.)
Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. This is a change from the earlier behavior. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 20.0.x. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.
Backup-restore
Backups restored to 20.0 MR2
You can restore backups to firewall models with fewer ports.
- Backups from versions 19.5 MR4 and later: The backup-restore assistant appears when you restore backups from XG, SG running SFOS, and XGS to XGS Series, cloud, and virtual firewalls.
- Backups from versions 19.5 MR3 and earlier: The backup-restore assistant doesn't appear, and the firewall automatically maps the interfaces.
Help links
- See the help page Restore backups to 20.0 MR2.
- Use the tool to check if you can restore backups between appliance models and platforms. Check compatible devices to restore backups.
- Watch the video Backup-restore enhancements.
Backups restored to 20.0 GA and MR1
- The backup-restore assistant doesn't appear.
- You can restore backups from SG, XG, XGS Series, cloud, and virtual appliances to any of these appliances.
- You can't restore backups from larger models to desktop models. See Backup-restore compatibility check.
Supported platforms
Version 20.0
Sophos Firewall OS versions 20.0.x are available on all form factors as follows:
- XGS Series firewalls
- XG Series firewalls
- SG Series firewalls
- Virtual and software appliances
- Cloud platforms
Additional information
- SFOS 20.0 GA and MRs will be the last firmware versions to support XG and SG Series hardware appliances.
- For all hardware lifecycle milestones, see Retirement calendar.
- For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.
Supported firmware versions
20.0.x versions support the following firmware versions:
- Wi-Fi firmware 11.0.021 and earlier
- RED firmware 3.0.009 and earlier
- Sophos Connect 2.3 MR-1 and earlier
Support
You can find technical support for Sophos products in the following ways:
- To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
- Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
- Visit Sophos Support.
Legal notices
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.