The firewall team has been working furiously over the last several months on the latest release of sophos XG Firewall and, after an extensive beta, we’re really pleased to announce that sophos XG Firewall v16 is available now.
This release is a major update that includes over 120 new features and enhancements across all areas of the firewall.
It’s easier to use, with new navigation, enhanced logging and troubleshooting tools, and streamlined workflows.
It’s more powerful, with new policy tools that make it easy to build sophisticated web, email, and routing policies custom tailored to your needs.
It’s got more innovative, with new Synchronized Security features like dynamic app identification and new Security Heartbeat™ options that improve protection, response, and visibility into what’s happening on your network.
There’s a complete list of new features below, but you’ll probably prefer to see what’s new first hand: watch the full 8-minute overview video of all the major new features or see the highlights in just two minutes.
How to get it
The new XG Firewall v16 firmware is being rolled out automatically to customer systems, so keep an eye open for the firmware update notification in your firewall. However, if you’re eager to install the update sooner, you can download the firmware update from from the Community Forums (and later via MySophos) and apply it anytime. Watch this video that explains how to update your firmware.
If you’re new to XG Firewall, you can see what all the buzz is about here and you can also sign up for a 30-day free trial.
Tell us what you think
Many of the enhancements in v16 are the result of your feedback and input – so thank you very much for your help in making this a great release! But please don’t stop there. Let us know what’s on your mind by stopping by the sophos XG Firewall Community Forums.
Need help? Have questions? Our Community has the answers.
The sohphos XG Firewall Community is also the perfect place to get all your questions answered and is staffed by members of our technical engineering team as well as some very knowledgeable expert members. There’s tons of useful content in the Knowledge Base and, soon, the new How-to Library as well (stay tuned for more on that). I think you’ll be impressed with the quality and quantity of content available there.
Control Center and navigation
- Enhanced Control Center widgets: Several widgets have improved flip-card views or drill-down results including Reports, Interfaces, and Security Heartbeat.
- Navigation: Left navigation has been expanded to improve access and gain consistency with Sophos Central. Menu items are grouped logically on the left side by task or activity. Second level navigation is now tab-based, enabling quicker two-clicks-to-anywhere access to the most frequently used configuration options. (Note: final tab layout and organization is still being worked on for a subsequent beta build.)
Firewall, network and device configuration
- Firewall hostname: You can now assign a custom hostname to your firewall.
- Cloning: Enables easy cloning of existing firewall rules, objects and policies.
- Policy routes: Route select traffic to a custom gateway based on source, destination or layer-4 service.
- Firewall to firewall RED tunnels: Site-to-site RED tunnel support.
- Country filtering improvements: Streamlined implementing country or continent-based filtering in firewall rules.
- NAT business rule creation: Improved DNAT, Full NAT, and server load balancing rule creation.
- DHCP server and relay: Support for concurrent DHCP Server and Relay configurations at the same time.
Authentication and diagnostics
- Two-factor authentication: Improved access security with support for OATH-TOTP one-time passwords directly on the firewall, eliminating the need for a separate 2FA solution. Support for IPSec, SSL VPN, User Portal, and WebAdmin access. We recommend using the free Sophos Authenticator app for iOS and Android.
- STAS (Sophos Transparent Authentication Suite) UI: STAS configuration has been added to the GUI enabling easy setup without requiring the CLI.
- Direct live log viewer access: Open the live log viewer in a separate window directly from the Control Center using the magnifying glass at the top of any screen.
- Live log viewer enhancements: An improved live log viewer which conveniently opens in a new window, with a 5-second refresh option, color-coded log lines, and the option to activate packet capture.
Web and email protection
- Redesigned web policy model: Flexible new user and group policy creation and in-line editing tools with inheritance that make web policies more intuitive and easy to maintain while dramatically reducing firewall rule count in many situations.
- Warn action: A new web filtering action in addition to Block or Allow that enables users to proceed to websites only after acknowledging a warning that the site belongs to an inappropriate or undesirable category. This option can be ideal in situations where user education, awareness, and monitoring is desired without strictly prohibiting access.
- Unscannable content handling: Options to allow or block content that cannot be scanned due to encryption or containers.
- Google Apps control: Limit access to a selected Google Apps domain to reduce the risk of data loss from users transferring documents to their personal Google Apps.
- Creative Commons enforcement: Reduce the risk of exposure to inappropriate images by enforcing search engine filters for content with a Creative Commons license.
- External URL lists: Import external URL lists that require enforcement in certain organizations or jurisdictions.
- Email per-domain routing: Route incoming mail to the correct destination server, based on the target domain.
- Full email MTA – store and forward support: Enable business continuity, allowing the firewall to store mail when target servers are unavailable.
- New anti-spam features (HELO/RDNS): Added anti-spam technology to identify non-legitimate mail sending servers.
- Email SPX Encryption reply portal: Enable recipients of SPX encrypted emails generated by the firewall to reply securely using a portal on the firewall to draft and send a response.
- Missing Security Heartbeat: Enables the firewall to detect when a previously healthy Endpoint is generating network traffic with a missing Security Heartbeat and automatically identify the system and respond. This may be an indication that the endpoint AV has been tampered with or disabled.
- Real-time application visibility: Enables the firewall to solicit information from the endpoint to determine the application responsible for generating uncategorized network traffic. This is valuable for gaining insights into network traffic that is unrecognized by other firewall solutions.
- Destination-based Security Heartbeat: Enables the firewall to limit access to destinations and servers based on the status of their Heartbeat, further bolstering protection from potentially compromised systems until they can be cleaned up. Combined with regular Heartbeat policy enforcement, this can effectively isolate a compromised system completely – both inbound and outbound.
Deployment and hardware
- Microsoft Azure platform support: Support for deployment in Microsoft Azure as a preconfigured virtual machine from the Microsoft Azure Marketplace with pay-as-you-go or bring-your-own-licensing (BYOL) options.
- High availability enhancements: HA support for configurations using dynamic (DHCP/PPPoE) interfaces.
- Improved Security Audit Report: Improved layout, presentation and information for the customer facing Security Audit Report provided after a TAP-mode or Inline-mode Proof-of-Concept deployment.
- RED 15w support: Adds support for the RED 15w with integrated wireless.
- AP 15C support: Adds support for the entry-level AP 15C ceiling mount access point.
- 4x10G 4-Port Flexiport module support for 1U XG Series appliances
- Open issues addressed: In addition to new features, this release has closed hundreds of open issues identified since the release of v15 across all areas of the product. Check the release notes for details.
- Vulnerabilities addressed: A number of vulnerabilities have also been closed with this release, improving the security of your Firewall
Now, of course, we’re not done yet by any means. There’s still lots of great things we want to do, but I think you’re going to love the improvements in this release so I encourage you to check it out.