What’s New?
Sandstorm Threat Intelligence Analysis
Sophos Sandstorm gains an added layer of artificial intelligence protection. All suspicious files are now subject to threat intelligence analysis in parallel with full sandbox analysis. Files are checked against SophosLabs’ massive threat intelligence database and subjected to our industry-leading deep learning, which identifies new and unknown malware quickly and efficiently – often rendering a verdict in seconds – to stop the latest zero-day threats before they get on the network
Sophos Central Firewall Reporting and Management
This release includes support for new firewall reporting and management capabilities being launched simultaneously on Sophos Central, including a rich, powerful new reporting suite and group firewall management tools
NAT Enhancements – Decoupled NAT Rules and Linked NAT Rule
XG Firewall’s NAT configuration receives some major updates. NAT rules are now decoupled from firewall rules, enabling more powerful and flexible configuration options, including Source (SNAT) and Destination (DNAT) in a single rule.
In addition, a new linked NAT rule feature follows the matching criteria of the Firewall Rule. Linked NAT Rule can also be added and edited in place while creating/editing firewall rules. Only the source translation configuration needs to be selected for Linked NAT Rule
Firewall Rules Management Improvements
Firewall rules management includes a new ‘Add Filter’ option with several fields/conditions from which to choose. Adding a filter makes it easier to find firewall rules based on the selected filter criteria. Once selected, filters stay selected even when the administrator moves to other configuration screens. Administrators can manage
multiple firewall rules at the same time (e.g. select multiple rules to delete, enable/disable, attach to a group, etc.).
Movement of rules across screens is possible, providing ease of use and management for larger rule sets. Within the firewall rule there is an exclusion feature that provides a “negate” option in the matching criteria to reduce the management and ordering overhead of multiple rules. There’s also a UI option to reset the data transfer counter for a firewall rule to improve troubleshooting
Enhanced DDNS Support
Provides support for enhanced DDC service HTTPS-based DDNS by adding five more DDNS providers – No-IP, DNS-O-Static, Google DNS, Namecheap, and FreeDNS
SD-WAN Policy-based Routing Enhancements
Policy-based routing gains added SD-WAN flexibility and more granular control with the addition of user- and group-based traffic selection criteria. Routing can be defined through either the primary or a backup gateway WAN connection and can be configured for replay direction. Additionally, routing decisions are now decoupled from firewall rules and merged with SD-WAN policy-based routes, enabling more powerful and flexible configuration options in policy routes
Alerts and Notifications
There is a new option to choose from dozens of system- and threat-related alerts, and have notifications sent via email or SNMP
Intelligent IPS Signature Selection
XG Firewall will receive IPS signatures based on a number of intelligent filtering criteria such as age, vendor, vulnerability type, and CVSS (Common Vulnerability Scoring System) to optimize protection and performance
DKIM and BATV Anti-Spam Protection
Anti-spam protection is improved with support for DomainKeys Identified Mail (DKIM) which detects forged sender addresses and Bounce Address Tag Validation (BATV) to determine whether the bounce address specified in the received email is valid, and reject backscatter spam
Kerberos Authentication and NTLM
This release adds Kerberos authentication alongside the existing NTLM support for Microsoft Active Directory SSO, extending the range of authentication tools available for customers
Radius Timeout with Two-Factor Authentication (2FA)
For customers using 2FA with Radius Server Authentication, the timeout value is now configurable, allowing additional time to finish the authentication flow when necessary
SNMPv3
Support for SNMPv3 is added providing more flexibility and security over SNMPv2
Interface Renaming
Interfaces can be renamed, making networking configuration easier and more intuitive
Improved Synchronized Application Control Verdict
In the event of a pattern-based match conflict, Synchronized Application Control Verdict will be adhered to for more accurate application control
DHCP Relay Enhancements for Dynamic Routing
Synchronizes dynamic routing updates (learned routes from OSPF) to DHCP relay, eliminating the need for manual reconfiguration
Secure Syslog and Logs in the Standard Syslog Format
Provides the option to fetch logs in the standard syslog format using secure TLS
Dynamic GeoIP (IP to Country Mapping) Database
The GeoIP database is now updated dynamically in real time from Up2Date. Be sure to always use the appropriate country-specific filters and policies
VMware Tools Upgrade and Integration With VMware Site Recovery Manager (SRM)
Supports virtual device integration of the latest VMware Tools version (v10.3.10) with reboot, shutdown, and clone-like functionalities. The release also supports integration with Site Recovery Manager (SRM), the disaster recovery and business continuity solution from VMware which automates the transfer of virtual machines to a local or remote recovery site
Jumbo Frame Support
Jumbo frames with more than 1500 byte payloads are now supported for added networking flexibility in high-bandwidth environments
Log Viewer Enhancements
The log viewer gets several enhancements with one-click actions available right from the logs to narrow search results, filter log entries, or create or modify policies on the fly. Options include the choice to disable signatures, block a source IP address, edit interfaces, and modify IPS, App Control, or web filtering policies
Xstream SSL Inspection Troubleshooting
When an encrypted traffic stream is encountered that is problematic for SSL inspection, it is highlighted in the Control Center, enabling administrators to swiftly diagnose and eliminate a potential issue by excluding traffic or updating policies
SD-WAN Application Routing and Synchronized SD-WAN
Optimized application routing and path selection is often an important objective in SD-WAN implementations – to ensure important business applications are routed over preferred WAN links. This release adds application-based traffic selection criteria to XG Firewall’s SD-WAN routing configuration.
Synchronized SD-WAN, a new Sophos Synchronized Security feature, offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can’t match
Sandstorm Threat Intelligence Reporting
Sandstorm Threat Intelligence Reporting adds a new Control Center widget to highlight all suspicious file downloads. The widget enables one-click drill-down to detailed forensics reports on all suspicious file activity. A quick summary view for each file provides a traffic-light style (red, yellow, green) indication of the analysis after antivirus scanning, threat intelligence analysis, and sandboxing. Detailed reports provide an-depth view of the verdict, including illustrated analysis by multiple machine learning models, details and screenshots of behaviors seen during Sandstorm analysis, and an in-depth breakdown of the file’s features and attributes, together with malware scan results and insight from VirusTotal
High Availability (HA) Enhancements
New enhancements enable plug-and-play high availability deployments with greater flexibility and business redundancy. A preconfigured HA port on every device enables quick and easy HA deployments by simply connecting the two ports together and then acknowledging and activating HA.
HA configurations also include a configurable failback strategy, ideal for remote-site HA deployments, with options for manual synchronization and time out tuning. It is now possible to perform firmware updates, rollbacks, and other tasks such as port monitoring lists and assigning multiple IP addresses to primary and auxiliary appliances while HA is active. In addition, deploying more than one HA pair in a single network is easier due to the elimination of conflicts arising from any dependency on a virtual MAC address HA architecture
Bridge Interface Enhancements
Bridge interfaces now support ARP broadcasts, Spanning Tree Protocol (STP) traffic, and non-IP protocols by specifying the ethernet frame type
Flow Monitoring Improvements
The new real-time flow monitor provides at-a-glance insights into active applications, users, and hosts along with current bandwidth utilization and other important information with convenient drill-down capabilities. Administrators can now analyze bandwidth in real time via the Live connections screen. Also, they can add users, source IP, and applications under a single view, all of which equips admins to analyze live bandwidth utilization from different pivots
Web Policy Enhancements
Browsing quotas have been added to web policies, allowing administrators to set time quotas for browsing selected website categories. Users can choose how and when to consume their daily time quota
VLAN Bridge Support
VLANs are now supported on bridge interfaces, enabling greater networking flexibility and support for advanced inter-VLAN routing and bridging deployments
Leave a Reply