Sophos Xg Community



Sophos

This article provides the steps to enable Sophos Central Management of XG Firewall. You will need a Sophos Central account (either a trial or license) but no other Sophos product is required. Sophos XG Firewall supports Session Initiation Protocol (SIP) for multimedia communications like VOIP. The SIP Module is enabled by default and provides the following functions for SIP traffic: Works on UDP port 5060. NATs local IP addresses to public IP addresses.

XG Firewall v18 got off to a tremendous start with thousands of customers upgrading on launch day to take advantage of the new Xstream Architecture and other great enhancements.

Today, the product team is pleased to announce a new release of XG Firewall v18, maintenance release 1 (MR1), that is now available for all XG Firewall devices.

This latest release includes all security hotfixes as well as over fifty performance, reliability and stability enhancements and support for our new SD-RED devices.

Upgrading to v18 MR1 is seamless from v17.5 MR6 and above and from any other v18 release version. You will soon start seeing the new release appear in your console with a firmware upgrade notification, but you don’t need to wait, you can grab the new release anytime from the MySophos Licensing Portal: Upgrade Today!

What’s new and in it for you

Watch this brief 5-minute overview of what’s new in XG Firewall v18:

Here are the top new enhancements:

  • Xstream Architecture: A new streaming DPI engine, high-performance TLS 1.3 inspection, AI-powered threat intelligence with in-depth reporting, and FastPath application acceleration.
  • Sophos Central: Group firewall management and cloud reporting make management easier and provide deeper insights into network activity with flexible report customization tools and a new license for extending your firewall data storage in the cloud.
  • Synchronized SD-WAN: brings the power of Synchronized Security to reliably and accurately route application and user-based traffic over preferred WAN links.
  • Plug-and-Play High Availability (HA): makes it easy to enable business continuity and adds peace-of-mind – simply connect two XG Series appliances together and you’ll be up and running in no time and now Sophos Central also supports HA pairs.
  • Real-time flow monitoring: Get at-a-glance insights into active bandwidth consuming hosts, applications, and users – a fan favorite feature from our UTM 9 platform.
  • Expanded notifications and alerts: You will never miss an important network security event whether it’s related to a threat, service, or important performance metric.
  • New SD-RED Model Support: With MR1, take advantage of our all-new SD-RED 20 and SD-RED 60 models that provide added performance, modular connectivity, and redundant power for the ultimate solution to remote branch or device connectivity.

Upgrading XG Firewall firmware is easy. Watch this video for a refresher.

Start enjoying the benefits of added visibility, protection and performance with XG Firewall v18 MR1 today!

Migrating from SG UTM

Sophos SG UTM customers interested in taking advantage of all the great new enhancements in XG Firewall can do so for free – anytime. A valid license can be transferred over at no extra charge and Sophos Professional Services is happy to help with migration if desired. Existing SG Series hardware is fully supported (except for the SG 105 which lacks the minimum required 4 GB of RAM). However, you may want to take this opportunity to consider refreshing your hardware to take full advantage of all the new capabilities such as TLS inspection. Check out this recent article for full details.

Migrating from Cyberoam

Migrating from Cyberoam to XG Firewall v18 is strongly encouraged to get all the added usability, security and performance benefits of XG Firewall. Contact your preferred Sophos partner to inquire about upgrading to the latest high-performance XG Series appliance hardware.

New to XG Firewall

If you’re new to XG Firewall, see why it offers the world’s best visibility, protection and response.

As organizations look to keep their workforce connected and productive, the ability for employees to work from home or any another location has become critical. While coronavirus (COVID-19) is driving the current increase in remote working, long commute times, severe weather and the need for greater flexibility are just some of the other reasons companies are looking at alternatives to working in an office.

Sophos XG Firewall and SD-RED devices provide businesses, schools, hospitals and other organizations with multiple solutions for secure remote connectivity. Employees can have access to applications, email and resources on the network from their own home, just as if they were onsite. And, you can keep them safe with features like web filtering which controls access to websites containing harmful and inappropriate content. Here’s how:

XG Firewall and Connect client

Sophos xg release notes

If you own an XG Firewall (hardware or virtual appliance), you have a perpetual Base license that includes both IPsec and SSL VPN connectivity. You can choose either or both to provide your remote workers with access to the corporate network.

Setting up IPsec-based remote access is managed through Sophos Connect client on XG Firewalls running v17.5 or newer firmware. Connect client is focused on ease of use and reliability to ensure an extremely positive user experience. Just select your desired network or office and click “Connect” to establish an encrypted VPN tunnel that secures the transmission of traffic (data, applications, etc.) between the firewall and remote device. On the client side, the remote device uses free Connect client software for either Windows or macOS to create the VPN connection.

SD-RED

An alternative solution for connectivity from home is Sophos SD-RED. These low-cost Remote Ethernet Devices create a secure Layer 2 VPN tunnel to a central XG Firewall. SD-RED makes a great remote access solution for connecting remote sites, as well as for individual employees who deal with particularly sensitive information, such as executives.

No technical expertise is needed to connect the device. Simply note the device ID in your XG Firewall and ship it to the employee. As soon as it’s plugged in and connected to the internet, the SD-RED appliance contacts your XG Firewall and establishes a secure dedicated VPN tunnel. You can connect to the device directly or wirelessly through a Sophos APX wireless access point.

IPsec or SSL VPN: Which remote access solution is right for me?

With both IPsec and SSL VPN options available to you in XG Firewall, how do you choose the one that’s right for you? Here are some points to consider when evaluating your environment:

IPsec VPN – Sophos Connect client

Sophos Xg Latest Firmware

Strengths:

  • Easy for administrators to bulk deploy and provision
  • Intuitive to use
  • Consistent performance
  • Windows and macOS support

Challenges:

  • IPsec occasionally blocked on hotel/public hotspot networks
  • No automated user group provisioning

SSL VPN

Strengths:

  • Provision access by user groups
  • Works in more restricted environments
  • Standards-based with broad platform support

Challenges:

  • Agent deployment geared to end user self-installation
  • User action required to deploy VPN policies

Resources

Sophos has a series of tools to help you learn more about configuring IPsec and SSL VPN connections for secure remote access using your XG Firewall:

• XG Firewall: Useful links for configuring VPN remote access – Community article
• Using Sophos Connect VPN client – Community article
• XG Firewall: Sophos Connect client – Knowledge Base article
• Sophos Connect client – User Assistance article
• Sophos Connect VPN client – Video
• XG Firewall: How to deploy Sophos Connect via Group Policy Object (GPO) – Knowledge Base article
• XG Firewall: How to configure SSL VPN remote access – Knowledge Base article and video
• XG Firewall: Licensing guide – Knowledge Base article
• XG Firewall: Performance testing methodology – Knowledge Base article

Securing remote connections

With sensitive information travelling back and forth between the firewall and remote devices over the internet, ensuring the traffic is secured from threats is critical. If your XG Firewall has a TotalProtect Plus or FullGuard Plus license, traffic is scanned for ransomware, viruses, intrusions, and other threats in both directions, providing comprehensive protection.

Sophos Xg Community Center

Extend your protection with Synchronized Security

When your remote device has an active Sophos Intercept X license, it can share real-time threat, health and security information with XG Firewall via the Security Heartbeat ™. If a remote device becomes infected, XG Firewall isolates the device until it is cleaned, preventing the infection from moving laterally to other devices on the network.

Sophos Xg Home

Stay home, stay connected

Sophos xg community plus

Whatever reason your workforce is at home, you can help them stay connected with your XG Firewall. Check out the resources in this article, and for more information, speak with your local Sophos sales team. Stay tuned for enhancements to Connect client in an upcoming XG Firewall v18 maintenance release.