Sophos XG Firewall: Applying a complex password to configuration backups


  • XG Firewall version 17.5 MR4 (and future releases) provides the ability to create a custom password for configuration backups. We strongly recommend specifying a backup password at the first opportunity. Once set, all future backups will be encrypted and protected with that password.
  • Backups created before 17.5 MR4 can still be restored on systems running MR4, even after specifying a new encryption password as described above. Pre-MR4 encrypted backups use a common encryption password across devices which is not recommended.

How to know if you’re impacted?

  • Customers that do not use the backup feature do not need to take action.
  • All customers that perform backups should create a custom password. Customers should note that off box storage of any backup should be further secured using a method of their choice and should not rely solely on the protection and obfuscation that Sophos provides.
  • Those customers who do not wish to take advantage of this additional security feature along with other product improvements can safely remain on their current version provided they don’t send backups over SMTP or FTP. Any off-firewall storage of a backup must be secured and encrypted.


  • Sophos XG Firewall v17.5 MR4.

What to do

Sophos recommends customers upgrade to XG Firewall version 17.5 MR4, or newer, and specify a strong password for protecting backup files immediately:

  • Under the Backup section, set and confirm the Encryption password field to a strong password consisting of 12 characters or more and click Apply.
  • Once Encryption password is configured, you can also download the configuration file encrypted with the previously set encryption password using the option: Download encrypted backup or you can encrypt the backup file with a different password before downloading using the option: Encrypt backup with a different password before you download as shown below: 

Be the first to comment

Leave a Reply

Your email address will not be published.