Every maintenance release (MR) for XG Firewall v18 brings compelling new features, including a variety of performance, stability, and security enhancements. MR5 is no exception.
What’s new in v18 MR5
VPN enhancements
- A huge 50% increase in concurrent IPSec VPN tunnel capacity across the line
- Port 443 sharing between SSL VPN and the Web Application Firewall (WAF)
- IPSec provisioning file support for remote access via Sophos Connect v2.1
XG Firewall v18 Maintenance Release 5 (MR5) is packed with enhancements to performance, security, reliability and central reporting. With v18 MR5, we have published XG firewall integration for azure active directory and azure virtual WAN. This in-depth video covers the NAT enhancements introduced in Sophos XG v18.-Click Show More to view video timestamps and related lin. More on XG Firewall v18 Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more. We also have a new Sophos Techvids site for XG Firewall v18.
SD-WAN
- Integration with Azure Virtual WAN for a complete SD-WAN overlay network
Authentication
- Integration with Azure Active Directory (learn more)
Certificate management and security
- Form enhancements for creating certificate signing requests and certificates
- Enhanced security for private keys
- Upload/download support for PEM format certificates
- Enhanced workflows for certificate management
Synchronized Security
- Enhanced registration and de-registration in high-availability (HA) installations
- Missing Heartbeat enhancements to reduce notifications sent for intended/expected changes in endpoint status
Sophos Central Firewall Reporting
- New Cloud Application (CASB) report
- MSP Flex Pricing for MSP partners
View the full release notes on the Sophos Community Blog.
Other Recent Enhancements
If you’re not running the latest v18 firmware on your firewall, you’re missing out on a ton of new capabilities and dozens of resolved issues.
In addition to the above, these capabilities have been added in other v18 maintenance releases:
High-availability enhancements
- Improved FastPath support for active-passive pairs
- HA support in AWS using the AWS Transit Gateway
- Setup, reliability, and stability enhancements
VPN and Sophos Connect Remote Access Client
- A huge increase in SSL VPN connection capacity (up to 3-6x)
- Remote access IPSec policy provisioning with Sophos Connect v2.1
- Group support for Sophos Connect which enables imports from AD/LDAP/etc.
- New advanced options for IPSec remote access
- Sophos Connect downloads enabled from the user portal
- Enforcement of TLS 1.2 for SSL site-to-site and remote access VPN tunnels
Synchronized Security
- A new option for Synchronized App Control to automatically clean up discovered apps over a month old
Cloud platform support
- Support for new AWS instances (C5/M5 and T3)
- Support for cloud formation templates
- Virtual WAN zone support on custom gateways for post deployment single arm usage
- Nutanix and Nutanix Flow support
Sophos Central
- Group firewall management via the Partner Dashboard
- Firmware update scheduling
- Multi-firewall reporting across firewall groups
- Save, schedule, and export reports from Sophos Central
Security and authentication enhancements
- Stronger password hash algorithm (requires a password change)
- Auto web-filtering of Internet Watch Foundation (IWF) identified sites containing child sexual abuse
- Support for creating users with UPN format for RADIUS authentication
It’s easy and free
Of course, all these features are a free upgrade for Sophos customers and are as easy as clicking to upgrade your firmware in your firewall console or scheduling a firmware update through Sophos Central.
Upgrade to v18 today!
Now is the perfect time to upgrade. If you’re interested in learning more about what’s new in v18, check out these excellent articles that will help you make the most of the many new capabilities in v18:
Sophos Xg V18
We’ve just updated the XG sales collateral with the latest v18 datasheet numbers.
Find the latest XG Firewall assets, including the new datasheet, brochure and product matrix, on the partner portal asset library.
These documents are currently in translation and the web pages are in the process of being updated.
This blog explains the new performance data and gives you further context to better understand the numbers and why a direct comparison with prior XG Firewall (SFOS) versions is not always possible.
How much faster is v18 than v17?
Overall, we come to a performance improvement of about 25%. This varies by model and performance test mode, as you can see in the graphic below.
If you compare the datasheets, you will see that a few numbers are lower than in the previous datasheet. The lower concurrent connections and connection rates (connections per second) are simply a reflection of the different way in which v18 uses resources: less plain firewall, more security processing. If you were to compare v17 and v18 for the concurrent connections for decrypted traffic, or the per-connection state for Synchronized Security processing, you would see a significant improvement.
The v18 concurrent connections and connection rates:
Xg V18 Features
- Exceed the demands of the real world AND
- Beat the competition in equivalent models.
The Xstream Architecture and Firewall Performance
Over the past months, you’ve hopefully been following our updates about the new Xstream Architecture, particularly the new DPI Engine and FastPath technology. If you’re new to Sophos or want to refresh your memory, check out the current blog series covering the highlights.
XG v18 has been built from the ground up with software architecture to get the best performance out of our current x86 hardware appliances, and in the future, will take advantage of new hardware technology to offer continued performance improvements.
Xg Firewall V18
In short, FastPath offers a smarter way to handle trusted traffic and, particularly in high traffic environments, can reduce the load on the CPU. The DPI Engine optimizes process handling by combining processes which would have been handled in sequence in v17, such as IPS, Web, SSL and App Control, into a single engine. This means more traffic gets where it needs to go faster (improved throughput) and with as little delay (latency) as possible.
What do the performance numbers mean and how are they measured?
We’ve made some changes to our test methodology and now include new datapoints – most notably, we’ve added Threat Protection and SSL decryption throughput. This not only makes our performance easier to reproduce, should someone conduct similar tests, but also makes it easier to compare us with our key NGFW competitors.
These changes are all part of our ongoing shift as we grow from our UTM roots and claim our stake in the Next-Gen Firewall space.
Xg V18
- Firewall: Plain firewall throughput using a single packet size, in our case, 512K. This will always be the highest number.
- Firewall IMIX: UDP throughput measured using different packet sizes (66, 570 and 1518 bytes).
- NGFW: IPS + Application Control, with HTTP traffic using a default IPS ruleset and 512KB object size.
- IPS: Measured using a default IPS ruleset and 512KB object size.
- IPsec VPN: HTTP throughput using multiple tunnels and a 512KB response size.
- Threat Protection: Measured with Firewall + IPS + Application Control + malware prevention using HTTP 200KB response size.
- Xstream SSL Decryption: Measured with IPS + Threat Prevention enabled using HTTP traffic with a 192KB response size.
A friendly reminder:
Datasheet numbers represent performance testing under ideal lab conditions and are not to be confused with real-world numbers, which will be made available via your local Sophos SEs once that testing is complete.
Xg V18 Mr2
What’s coming next?
We will soon be releasing a sizing tool, which will also be available to partners. Watch out for more news on that very soon.