Neues Update: Sophos Firewall OS v21.0 MR1 Build 272
vom 23. März 2025Sophos hat kürzlich das erste Maintenance Release (MR1) für die Sophos Firewall OS v21 veröffentlicht. Diese Version bringt zahlreiche Verbesserungen und neue Funktionen, die die Sicherheit und Performance der Firewall erheblich steigern. Hier sind die wichtigsten Neuerungen und Verbesserungen in dieser Version:
Was ist neu in SFOS v21 MR1?
Verbesserte VPN-Funktionen
SSL-VPN:
- Erweiterte Schlüsselgrößen: Mit der Unterstützung von Diffie-Hellman-Schlüsselgrößen von 3072 und 4096 Bit wird die Kommunikationssicherheit weiter erhöht und Compliance-Anforderungen erfüllt.
- Dead-Peer-Erkennung: Eine granulare Einstellung der Zeitüberschreitung für die Dead-Peer-Erkennung bei UDP-basierten SSL-VPN-Tunneln verbessert die Ausfallsicherheit.
IPsec-VPN:
- Stabilitätsverbesserungen: Probleme mit langsamer Browserleistung bei policybasierten IPsec-VPNs werden durch verbesserte Stabilität bei ausgegliederter Datenverkehr eliminiert.
Unterstützung für moderne Netzwerkprotokolle
NAT64
- Der Firewall ermöglicht es IPv6-only-Clients, auf IPv4-Websites zuzugreifen, indem er den Datenverkehr im expliziten Web-Proxy-Modus weiterleitet. Zudem wird ein IPv4-Upstream-Proxy für IPv6-only-Clients unterstützt.
Verbesserungen
- Cellular WAN: Eine automatische Konfiguration mit “8.8.8.8” als zweites Ziel für die Probe verbessert die Überwachung und reduziert die Notwendigkeit manueller Einstellungen, da ISPs Gateway-Pings oft blockieren.
- DHCP: Der DHCP-Dienst stellt sich automatisch von Fehlern wieder her, was die Ausfallsicherheit erhöht.
- SD-RED: SD-RED-Geräte bieten nun Remote-Troubleshooting und Diagnose durch Sophos Support, was die Wartung und Fehlerbehebung erheblich erleichtert.
Warum ist das Update wichtig?
Das Update sorgt dafür, dass Ihre Sophos XGS Firewall immer auf dem neuesten Stand ist – mit optimaler Sicherheit, besserer Performance und einer stabileren Plattform für Ihr Unternehmensnetzwerk. Es ist besonders wichtig für Kunden, die noch ältere Versionen verwenden, da es viele Bugfixes und Stabilitätsverbesserungen enthält.
Wie kann ich das Update installieren?
Das Update kann über die Sophos Central Admin Console oder direkt über das Firewall-Interface heruntergeladen werden. Es ist ratsam, das Update so schnell wie möglich durchzuführen, um die Vorteile der neuen Funktionen und Sicherheitsverbesserungen zu nutzen.
Fazit: Sophos Firewall OS v21 MR1 ist ein wichtiger Schritt zur Verbesserung der Sicherheit und Performance Ihrer Netzwerkinfrastruktur. Mit den neuen Funktionen und Optimierungen wird die Verwaltung und Sicherheit Ihrer Firewall erheblich vereinfacht und gestärkt.
Sie haben Fragen?
Wir stehen für Serviceorientierung, zukunftsfähige IT-Architektur und maßgeschneiderte ERP Lösungen.
Lassen Sie sich vom Experten aus Berlin individuell beraten!
Fixed Issues:
| Issue ID | Component | Description |
|---|---|---|
| NC-138431 | Authentication | MFA tokens weren’t working for SSL VPN users after a firmware upgrade to 20.0 MR1. |
| NC-141413 | Authentication | Authentication service stopped responding because of “read_from_client” issues. |
| NC-144562 | Authentication | Unable to add users to the MFA setting after a certain limit. Error appeared on the web admin console. |
| NC-139323 | Certificates | IPS service failed after upgrading to 20.0 MR1. |
| NC-135473 | Clientless Access | Unable to download the configuration file from VPN portal after HA failover with specific conditions. |
| NC-141997 | Clientless Access | Vulnerabilities found in the scan for VPN portal. |
| NC-147793 | VPN | Pattern update failure for SSL VPN. |
| NC-133133 | CM | Group configuration import in Sophos Central management failed from XG 86w firewall. |
| NC-135944 | CM, CM (Join to Cloud) | Unable to access or manage the firewall from Sophos Central. |
| NC-140829 | CM | Intermittent issues with internet connectivity because Garner main thread was blocked during Sophos Central plugin reconfiguration. |
| NC-144699 | CM | FRP-SSO failed when a firewall was deregistered from a Sophos Central account and registered to a different account. |
| NC-137123 | Core Utils | Low swap memory in a device migrated from 17.5 involving a virtual deployment with two disks. |
| NC-138159 | Core Utils | Command failure wasn’t handled in HA migration. |
| NC-143615 | Core Utils | USB keyboard didn’t work on the CLI in 20.0 MR2 deployed on third-party hardware. |
| NC-135421 | CSC | Firewall rules stopped working after a power failure. |
| NC-135613 | DDNS | DDNS didn’t show data on the web admin console. |
| NC-136462 | DHCP | DHCP service was unresponsive for a valid domain entry in Next-Server. |
| NC-137870 | DHCP | Backup-restore failed for DoS rules because system interface mapping failed. |
| NC-133859 | DKIM signatures didn’t work as expected. Emails were quarantined. | |
| NC-133988 | Entries for rejected mail weren’t logged because of the message size. | |
| NC-134038 | Emails bounced or weren’t delivered when the subject contained “&” with SPX turned on. | |
| NC-141753 | Quarantined digest email’s subject showed an incorrect “From” date. | |
| NC-152919 | Unable to release quarantine emails from the user portal. | |
| NC-123910 | Firewall | Kernel panic in FTP over HTTP scenario. |
| NC-131411 | Firewall | Forwarded traffic didn’t work randomly for connections through SATC. |
| NC-137779 | Firewall | User accounting was done for traffic going through a network rule. |
| NC-152641 | Base | The firewall stopped processing traffic due to SWAP memory configuration changes after it was upgraded to 21.0 MR1 Build 237. |
| NC-123807 | Gateway Management | Kernel crash dump occurred in a firewall with SFOS 20.0 GA. |
| NC-100951 | HA | Gateway status of an interface configured with dynamic IP assignment was, occasionally, not in sync in an active-passive auxiliary device after HA failover. |
| NC-137215 | HA | TCP traffic didn’t work in active-active HA mode with XFRM deployment. |
| NC-144474 | Interface Management | Physical interfaces and expanded logical interfaces weren’t visible after upgrading to 21.0 GA. |
| NC-140591 | IPS-DAQ-NSE | An AWS website didn’t work randomly. Log viewer showed the following error: “TLS handshake fatal alert: decode error(50)”. |
| NC-140666 | IPS-DAQ-NSE | Unable to connect Office365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1. |
| NC-138180 | IPsec | Auxiliary device was receiving NAT-T IPsec packets on rekeying after an upgrade to 20.0 MR1. |
| NC-138822 | IPsec | XFRM interface status appeared as “Not configured” even when the IPsec tunnel was established. |
| NC-143095 | IPsec | Unable to download IPsec iOS profile from the VPN portal. |
| NC-146469 | IPS Engine | IPS optimization issue with the number of cores after migration to a different appliance. |
| NC-143051 | Logging Framework | Sophos Firewall appliances stopped sending logs to Graylog syslog server. |
| NC-146431 | MDR Framework | MDR threat feeds showed that the requirements weren’t met even though they were. |
| NC-139922 | NFP-Firewall | Mismatched interfaces when IPsec acceleration was turned on. |
| NC-144311 | NFP-Firewall, USFP | Malformed or specifically crafted inner decrypted L3 payload may result in an unresponsive NPU. |
| NC-141503 | Postgres | IPS stopped responding. Unable to restart it because postgres connections exceeded the limit. |
| NC-137106 | QoS | QoS download speed wasn’t restricted for SSL VPN users. |
| NC-136900 | RED | Fixed the RED APU file removal and creation on the auxiliary device after this device restarted. |
| NC-144581 | RED | Offline-provisioned RED became non-functional after a RED firmware upgrade. |
| NC-146114 | RED | Primary device automatically restarted and failed over to the auxiliary device after an upgrade to 21.0 GA. |
| NC-138286 | Reporting | Custom view wasn’t listed in the custom report when accessing the firewall from Sophos Central. |
| NC-128242 | SDWAN Routing | TFTP traffic didn’t flow as expected with an SD-WAN profile. |
| NC-130534 | SDWAN Routing | Web pages timed out with web proxy when MAC address-based SD-WAN rules were used. |
| NC-137341 | SDWAN Routing | The iptable entries of SD-WAN routes disappeared. |
| NC-141637 | Security Heartbeat | Devices were blocked despite green health and no missing heartbeat alert in Sophos Central. |
| NC-142435 | Sentry framework | Snort, garner, and access server processes weren’t terminated properly because the process was stuck in GenerateDump. |
| NC-139458 | SSL VPN | Services page and SSL VPN Assistant weren’t loading. |
| NC-139849 | SSL VPN | Discrepancies in the site-to-site SSL VPN import validation. |
| NC-142397 | SSL VPN | Out of memory issue. SSL VPN caused the /tmp partition to fill up. |
| NC-145261 | SSL VPN | Incorrect count appeared on the dashboard for connected remote users in 21.0 GA. |
| NC-144955 | Static Routing | Static route remained on the auxiliary device after enabling HA. |
| NC-122478 | UI Framework | Web policy automatically scrolled, leading to a misplaced dialog box. |
| NC-141688 | UI Framework | Need to support automatic language detection for users with SSO sign-in. |
| NC-151389 | UI Framework | Hotspot voucher didn’t load on the user portal. |
| NC-135798 | WAF | Set Cache-Control to no-cache, no-store for WAF. |
| NC-140403 | WAF | Pop-up appeared when you opened a WAF rule and clicked the cancel button without any modification to the rule. |
| NC-140550 | WAF | When WAF was used, floating HTML with the cart content didn’t appear after items were added to it. |
| NC-142170 | WAF | Fixed how the firewall handles deleted and disabled interfaces referred to in Let’s Encrypt certificates. |
| NC-144659 | WAF | Let’s Encrypt service showed a busy status in 21.0 GA. |
| NC-152963 | Firewall | With Let’s Encrypt turned on, firewall rule positions were altered, affecting the firewall rules that match the traffic. |
| NC-136403 | Web | Web policy override must tell the browser not to autofill bypass codes. |
| NC-136616 | Web | AD SSO didn’t work with Kerberos for a specific server and user. |
| NC-140864 | Web | The “Missing template” error appeared instead of the Sophos block page. |
| NC-141088 | Web | The Restrict-Access-To-Tenants setting has a character limit of 256. |
| NC-142515 | Web | Content filter blocking didn’t work with Facebook search. It worked with other websites. |
| NC-136099 | WebInSnort | SSL/TLS inspection rules containing only unsupported services behaved like Service was set to Any. |
| NC-140491 | WWAN | Modem didn’t connect after an upgrade to SFOS 21.0 EAP0 in XGS 116. |
| NC-142427 | WWAN | Huawei Modem (4G dongle) didn’t connect to the firewall after an upgrade to 20.0 MR2. |
