Sophos XG Firewall release notes - Release notes Version: 18.0 - Documentation

Page created by Willie Powers

IT & Technique

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Sophos XG Firewall release notes - Release notes Version: 18.0 - Documentation

Sophos XG Firewall release notes
Release notes
Version: 18.0

Sophos XG Firewall release notes                                                    Supported platforms

1. Supported platforms
SFOS 18.0 is supported on all XG and SG appliances with at least 4 GB of RAM.
With the new Xstream packet processing architecture, you will enjoy a nice performance boost on
your existing hardware.
SFOS 18.0 won't be supported on older XG 85/105 and SG 105 models that have 2 GB of RAM but
will run perfectly on the newer XG 86/106 models that have 4 GB of RAM.
Cyberoam appliances don't support SFOS 18.0. Models that don’t support version 18 will continue
to be supported for the foreseeable future on version 17.5. However, you can restore Cyberoam
firewall backups on XG Firewall operating on 18.0.
For upgrade information, go to Upgrading to SFOS 18.0.1 (page 3).

2                                           20200908                        Copyright © Sophos Limited

Upgrading to SFOS 18.0.1                                                             Sophos XG Firewall release notes

2. Upgrading to SFOS 18.0.1
SFOS 18.0.1 MR1 Build 396
You can upgrade from SFOS 17.5 (MR6 to MR12) to 18.0.1 MR1 (build 396). Currently, you can't
migrate from 17.5 MR13, MR14, and MR14.1 to 18.0. We'll update this page when they can migrate
to 18.0 MR3. For details, see the table below:
The security hotfixes released until now are part of SFOS 18.0.1 MR1 (build 396). So, the hotfixes
referred to in KBA135412, HF051220.1, and HF052220.1 are NOT required for this release.

  Migrate from 17.5           Migrate to 18.0

                              MR1 (Build 396)            MR2                       MR3

  17.5 MR6 to MR12            Yes                        Yes                       Planned

      • 17.5 MR13             No                         No                        Planned

      • 17.5 MR14
      • 17.5 MR14.1

              CAUTION
              Do not migrate from 17.5 MR13, MR14, or MR14.1 to 18.0 MR1 or MR2. If you
              try to migrate, XG Firewall shows an alert asking you to confirm the migration
              before it restarts. If you confirm the migration, XG Firewall restarts with the factory
              configuration, and you lose your current configuration.

Note the following upgrade information for SFOS 18.0 and later:

    • 18.0 and later versions require a minimum of 4 GB RAM. So, you can't upgrade the following
      models to 18.0 and later:
          ◦ XG 85, XG 85w, XG 105, and XG 105w
          ◦ SG 105, SG 105w
      These models must remain on a 17.x version. See XG Firewall Lifecycle Policy and XG Firewall
      retirement calendar.

    • Support for RED devices:
          ◦ Doesn't support RED 10 devices.
          ◦ Supports SD-RED 20 and 60 devices.

    • Cyberoam models don't support 18.0 and later firmware versions. However, you can restore
      Cyberoam firewall backups on XG Firewall operating on 18.0 and later.
    • Firmware:

Copyright © Sophos Limited                         20200908                                                      3

Sophos XG Firewall release notes Upgrading to SFOS 18.0.1

◦ Rollback (firmware switch) is supported. You can roll back to 17.5 MRx if you experience
any issues with 18.0 and later. For example, the active firmware on the firewall is 18.0
and the other firmware version is 17.5. You can switch between these two versions. This
doesn't change the configuration on either.
◦ You can't downgrade from 18.0 and later to an older firmware using 17.5 or an earlier
firmware file. The web admin console will show an alert.
18.0 and later use Grub boot loader. The changed bootloader can't recognize 17.x
firmware. You can still use the hardware ISO of 17.5 or earlier to have the firewall on an
older firmware version and restore the downgraded firmware's backup.

◦ In 18.0, we moved to a more secure firmware signing method. The firmware update files
now use the .sig extension and not the earlier .gpg extension.

◦ The web admin console shows the specific reasons for firmware upload failure.

• Backup and restore are supported. You can restore the following on 18.0 and later versions:
◦ SG firewalls running SFOS
◦ Cyberoam firewalls
◦ XG Firewall backups

• HA: SFOS 18.0 moved to SSH tunnel-based secure communication for the HA cluster. If
you're upgrading the HA cluster to 18.0 or later, both the devices in the cluster will reboot
simultaneously once. You'll receive an alert on the UI before you can proceed.
• Quarantined emails: You can only release quarantined emails from the user portal. For details,
see KBA135515.
What's new

• SFOS 18.0 and later versions are available on the Amazon Web Services (AWS) public cloud
infrastructure.
• Supports SD-RED 20 and 60 devices.
• Key information you need to know about how to configure the following:
◦ NAT rules (page 25)
◦ What's new in SD-WAN policy routing (page 47)
◦ SSL/TLS inspection rules (page 8)

New features Sophos XG Firewall release notes

3. New features
The release notes site describes the new features introduced in XG Firewall 18.0.
The left menu gives the key features, their significance, and how to implement them. For detailed
information of XG Firewall, go to the online help.
For an overview of the key features, please read What’s New in v18.

3.1 Xstream architecture
We are introducing the new Xstream architecture for XG Firewall - A new streaming packet
processing architecture that provides extreme levels of protection and performance. The new
architecture includes:

• Xstream SSL inspection: Enable SSL inspection on your network without compromising
network performance or the user experience. It delivers high-performance, high-connection-
capacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspection
performance across all ports, protocols, and applications. It also comes equipped with
enterprise-grade controls to optimize security, privacy, and performance.
• Xstream DPI engine: Enables comprehensive threat protection in a single high-performance
streaming DPI engine with proxyless scanning of all traffic for AV, IPS, and web threats as well
as providing application control and SSL inspection.
• Xstream network flow FastPath: Provides the ultimate in performance by intelligently offloading
traffic processing to transfer trusted traffic at wire speeds. FastPath offloading can be controlled
through policy to accelerate important cloud application traffic or intelligently by the DPI engine
based on traffic characteristics.

3.1.1 FastPath network flow
Xstream architecture enables the offloading and streaming of packet processing for high levels of
protection and performance.
The architecture contains the DPI (Deep Packet Inspection) engine, SSL/TLS inspection, and the
FastPath network flow.
The DPI engine applies SSL/TLS decryption and inspection, IPS policies, application identification
and control, web policies (including proxyless web filtering), and antivirus scanning in a single
engine. Antivirus scanning includes Sandstorm protection and file reputation analysis.
SSL/TLS inspection decrypts and inspects SSL/TLS connections that use modern cipher suites
across all ports and protocols. For details, go to Rules and policies > SSL/TLS inspection rules.
FastPath network flow offloads (bypasses processing of) trusted traffic. Offloading eliminates
the need to apply full firewall processing to every packet in a connection, minimizing the use of
processing cycles.

Note
Currently, we don't offload VPN, QoS, DoS, RED, and HA traffic to FastPath.

Sophos XG Firewall release notes New features

You can optimize FastPath offloading through rules and policies to accelerate cloud application
traffic or through the DPI engine based on traffic characteristics.

FastPath network flow
The data plane is the core hardware and software component. It works in the FastPath, kernel
(firewall stack), and user space domains, offloading trusted packets throughout a connection's
lifetime. The DPI engine is in the user space.
FastPath provides an efficient, zero-copy path into the DPI engine, eliminating the need to retain
copies in the kernel memory. The data plane caches the classification decisions of the kernel and
user space, and applies them to all the traffic in a connection, lightening the load on the hardware.
This enables FastPath to offload some or all processing of a packet from the CPU.
The firewall stack still requires the CPU to handle the connection rate.

Note
XG Firewall retains firewall stack (slowpath) processing as a fallback path for
functionalities that can’t be processed in FastPath or if FastPath can't function. The
firewall stack continues to process certain protocols, such as IP in IP.

FastPath is software-based and is also available as Virtual FastPath (VFP), enabling us to maintain
a common architecture for XG Firewall devices and the software and virtual platforms of XG
Firewall. The firewall stack can offload to FastPath through VFP or the FastPath API. VFP updates
and features are part of SFOS releases.

Note
Virtual FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, and
vmxnet3. VFP won’t load on other drivers, but XG Firewall (including the DPI engine)
still functions fully, but without the FastPath performance enhancements.
Currently, Virtual FastPath supports up to 3500 MTU on e1000 and e1000e NICs.

Note
For virtual deployments, Virtual FastPath supports the VMware ESXi hypervisor. For
other hypervisors, such as KVM, turn off FastPath using the CLI command for firewall
acceleration.

Firewall acceleration
When you turn off firewall acceleration on the CLI console or when FastPath doesn’t load, XG
Firewall continues to function fully, but without the performance enhancements of FastPath.
To turn firewall acceleration on or off through FastPath and to see the status, use the following CLI
commands:

Option CLI command

Show firewall acceleration console> system firewall-
acceleration show

New features Sophos XG Firewall release notes

Option CLI command

Turn on firewall acceleration console> system firewall-
acceleration enable

Turn off firewall acceleration console> system firewall-
acceleration disable

Note
FastPath doesn’t support tcpdump. It’s turned off when you run a tcpdump command.

FastPath
Traffic for a connection flows in the stateful firewall mode initially. The firewall stack processes the
first packet and does the following:
• Applies the firewall rule action.
• Makes layer 2 and layer 3 decisions that include routing, switching, forwarding, and RED traffic-
related decisions.
• Makes decisions related to ingress decapsulation and egress encapsulation, including
decisions for IPsec VPNs.
• Applies DoS (Denial of Service) policies.
• Applies QoS (traffic shaping) policies.

After one packet from each direction passes through XG Firewall, the firewall stack fully classifies
the flow, and programs a connection cache in FastPath. It offloads kernel processing for
subsequent packets in the same connection to FastPath. These packets don’t require further
processing to verify their identity and destination. With stateful tracking of individual connections,
FastPath processes the packets fully, saving CPU cycles and memory bandwidth. FastPath acts
only as directed by the kernel.
DPI engine
For security decisions, the firewall stack delivers the initial packet to the DPI engine through the
Data Acquisition (DAQ) layer. FastPath delivers subsequent packets directly to the DPI engine
through the DAQ layer, which is a high-speed mechanism to move packets into and out of the DPI
engine. The direct delivery eliminates the need to retain copies in the kernel memory.
The DPI engine inspects traffic from layer 4 and higher through streaming processing. Offloading
decisions are taken at each stage of security processing.
SSL/TLS engine: For unencrypted traffic, when SSL/TLS inspection rules are turned on, the
SSL/TLS module directs the DAQ layer to skip SSL/TLS processing for the flow. For encrypted
traffic, when SSL/TLS inspection rules have been set up, the DPI engine continues to modify traffic
throughout the connection lifetime. This ensures that the connection isn't dropped because the SSL/
TLS connection has been modified for inspection.
Intrusion prevention and Application control: With application control turned on, the initial
packets are delivered to IPS for application identification. IPS classifies the application after a
few packets and gives a policy verdict for application control, which may give new forwarding
behavior and QoS parameters. The DAQ layer communicates these decisions to the kernel and the
hardware. From this point onward, the connection may be completely offloaded to FastPath.

Sophos XG Firewall release notes New features

IPS may pass a verdict to stop security processing based on factors, such as a safe signature or
verdict from SophosLabs, a matching IPS policy with bypass action, or based on earlier guidelines.
Antivirus and Web filtering: If the IPS verdict is that the traffic is safe, antivirus scanning
doesn't take place. If web filtering applies, web traffic scanning continues until the end of the flow,
depending on the HTTP responses.
From this point onward, FastPath offloads traffic from the kernel and handles layer 2 and layer 3
processing. The ability to offload some or all processing minimizes load on the CPU.

How to enable FastPath with rules and policies
Here are examples of rules and policies that enable FastPath to handle traffic fully, bypassing the
firewall stack and the DPI engine:

• A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded to
FastPath after the initial packet passes through XG Firewall on either side of the connection.
• A firewall rule with application control policy. Traffic is offloaded to FastPath after about eight
packets.
• A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPS
policy rules with this action is offloaded to FastPath.
• A firewall rule with the following policies:
◦ An IPS policy containing intelligent offload signatures from SophosLabs.
◦ Web filtering without malware and content scanning or DPI engine settings. For firewall
rules with malware and content scanning and DPI engine settings, FastPath delivers traffic
to the DPI engine directly, bypassing the firewall stack.

• No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers traffic
to the DPI engine directly, bypassing the firewall stack.
• SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections,
traffic is offloaded to FastPath after 15 packets.

3.1.2 SSL/TLS inspection rules
With SSL/TLS inspection rules, you can intercept and decrypt SSL and TLS connections over TCP,
enabling XG Firewall to enforce secure connections between clients and web servers.
SSL/TLS inspection enables the prevention of malware transmitted through encrypted connections.
You can enforce policy-driven connections and decryption for inbound and outbound SSL/TLS
traffic based on the traffic and risk level.
SSL/TLS inspection rules don't affect the decryption of traffic handled by the web proxy. You specify
the method of web filtering (web proxy or the DPI engine) in firewall rules. By default, XG Firewall
uses the DPI engine, applying SSL/TLS inspection rules to traffic matching the firewall rule criteria.
SSL/TLS inspection rules are turned on by default for fresh installations. For deployments migrating
from SFOS 17.5 and earlier, they're turned off by default. You can turn them on or off manually.

New features Sophos XG Firewall release notes

CAUTION
When SSL/TLS inspection rules are turned off, XG Firewall won't apply them to the
connections. The control center and log viewer won't show the SSL/TLS connection
and decryption details.

Warning
Android devices are known to generate SSL/TLS certificate errors, causing decryption
to fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

Rule table actions
• You can filter the rules by the source, destination, and rule ID.
• To reset the rule filter, select Reset filter.

Click More options to specify the following actions:

• To edit or delete a rule, select the action.
• To clone or add a rule next to an existing rule, select the action.
• To turn on or turn off a rule, select the switch.
To change the position of a rule, drag and drop the Rule handle ( ). XG Firewall evaluates rules
from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate
subsequent rules. Position the specific rules above the less specific rules.

SSL/TLS inspection rules
SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected
SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination,
users and groups, services, websites, and web categories. To take effect, the rule must find a
match in all criteria.
You need to select a decryption profile for each rule to specify the action for traffic with issues, such
as insecure protocol versions, SSL compression, unrecognized cipher suites, cipher algorithms
to block, certificate errors, or connections that exceed the firewall's decryption capabilities. After
decrypting and inspecting the traffic, XG Firewall re-encrypts the traffic with the re-signing certificate
authority that you specify.
You can use SSL/TLS inspection rules in these cases:

• Implement policy-driven decryption and meet compliance requirements.
• Prevent malware transmission through encrypted traffic.
• Apply web content policies to encrypted traffic to prevent unwanted uploads and downloads
without obstructing general browsing.

Exclusions to SSL/TLS inspection rules
XG Firewall provides a default exclusion rule Exclusions by website or category that prevents
connections to certain websites from being decrypted. The rule has action set to Don't decrypt and
the decryption profile set to Maximum compatibility.

Sophos XG Firewall release notes New features

The rule is permanently positioned at the top of the SSL/TLS inspection rule table. SSL/TLS
inspection rules are evaluated top down in the rule table.
The exclusion rule contains the following default exclusion lists:

• Local TLS exclusion list: The list is empty by default. You can add websites to this list by
troubleshooting in the Control center or Log viewer. To edit this list, go to Web > URL
groups.
Websites and browsers that use certificate pinning block the requested page fully or partially
when SSL/TLS inspection is turned on. If an error message is shown, it may not show an
identifiable reason. If you want to bypass SSL/TLS inspection, you can use the local TLS
exclusion list to allow the domains.

• Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/
TLS inspection and is updated through firmware updates.

Tip
To add websites to the exclusion rule or remove them, edit the rule and add or remove
the web categories or URL groups. Alternatively, go to Web > URL groups and edit
the group Local TLS exclusion list.

You can exclude web categories, URL groups, users, source and destination IP addresses and
networks by creating your own exclusion rules and placing them immediately below the default
rule. Add only connections you don’t want to be decrypted by other SSL/TLS inspection rules to an
exclusion rule.
SSL/TLS inspection rules are applied independently of firewall rules. Inspection rules continue to
enforce the specified exclusions even if you don't select a web policy in firewall rules.
You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being
decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the
table below:

SSL/TLS exclusion list Web exception

Processes you can exclude HTTPS decryption HTTPS decryption
HTTPS certificate and protocol HTTPS certificate validation
enforcement
Malware and content scanning
Sandstorm
Web policy checks

Applies in this mode DPI mode DPI mode
Proxy mode

Applies to this traffic SSL/TLS connections on any DPI mode: SSL/TLS
port. connections on any port.
Proxy mode: SSL/TLS
connections on port 443.

New features Sophos XG Firewall release notes

SSL/TLS exclusion list Web exception

Matching criteria URL group containing a list URL pattern matches using
of websites (domain names) regular expressions.
in plaintext. Includes the
subdomains of these domains.

Web categories Web categories
Source and destination zones, Source and destination IP
networks, and IP addresses addresses and IP ranges
Services
Users and groups

Where to add the exception Add domains and subdomains Add to Web > Exceptions.
to the Local TLS exclusion
list by troubleshooting in
the Control center or Log
viewer.
Go to Web > URL groups
and add websites to a URL
group being used by an
exclusion rule.
Create or edit SSL/TLS
inspection rules.

SSL/TLS inspection settings
These settings apply to all SSL/TLS inspection rules. You can specify the re-signing certificate
authorities (CAs), action for traffic we don’t decrypt, and the TLS downgrade setting. Inspection
settings also allow you turn off SSL/TLS inspection to troubleshoot errors.

CAUTION
We recommend that you turn it back on after troubleshooting.

The decryption profile that you add to an inspection rule overrides the inspection settings.

Firewall rules and web proxy
XG Firewall applies the firewall rules first and then the SSL/TLS inspection rules. It applies the
inspection rules in transparent mode based on the web proxy selection you make in the firewall rule.
Transparent mode: In the firewall rule, if you’ve selected decryption and scanning by web proxy,
traffic over ports 80 and 443 is decrypted by the web proxy. SSL/TLS inspection rules will then be
implemented only for web traffic over other ports.
Explicit mode: Decryption and scanning is performed by the web proxy.

Sophos XG Firewall release notes New features

Note
The web proxy uses the certificate specified in Web > General settings.
SSL/TLS inspection uses the certificates specified in SSL/TLS inspection settings
and Decryption profiles.

Troubleshooting
To see if SSL/TLS connections have been exceeding the decryption limit, go to Control center and
select the SSL/TLS connections widget.
To troubleshoot SSL/TLS errors, go to Control center, select the SSL/TLS connections widget,
and select Fix errors in the upper-right corner.
If you don't see the connection and decryption details in the control center or the log viewer, make
sure the following are turned on:
• SSL/TLS inspection rules: Go to Rules and policies > SSL/TLS inspection rules and turn the
SSL/TLS inspection switch on.
• SSL/TLS engine: Go to Rules and policies > SSL/TLS inspection rules > SSL/TLS
inspection settings. Under Advanced settings > SSL/TLS engine, select Enabled.

SSL/TLS inspection rules and the SSL/TLS engine
SSL/TLS inspection: You can turn SSL/TLS inspection rules on or off. For deployments migrating
from SFOS 17.5, the inspection rules are turned off by default to prevent potential behavioral
changes during the upgrade.
You must turn SSL/TLS inspection on to enable the new XStream SSL/TLS decryption functionality,
including showing SSL/TLS connection statistics on the Control center.
When SSL/TLS inspection is set to On, XG Firewall works as follows:

• Inspects all traffic and identifies SSL/TLS connections.
• Applies SSL/TLS decryption rules and logs connections as required by the rules.
• Updates SSL/TLS connection statistics and shows them on the Control center.
When SSL/TLS inspection is set to Off, XG Firewall works as follows:

• Doesn't evaluate or apply SSL/TLS decryption rules.
• DPI engine doesn't decrypt SSL/TLS connections. XG Firewall still decrypts connections
handled by the web proxy based on the firewall rule settings.
• Doesn't gather any SSL/TLS statistics. Won't update the statistics shown on the Control
center any longer.
• For traffic matching firewall rules that have a web policy specified, and are not configured to
use the web proxy, the DPI engine still uses SSL/TLS inspection to enforce the policy on non-
decrypted HTTPS connections.
SSL/TLS engine: You can enable or disable the SSL/TLS engine in SSL/TLS inspection settings.
When you disable the engine, XG Firewall won't use the SSL/TLS inspection engine at all. Use this
option only for troubleshooting purposes based on advice from Sophos Support. When the engine is
disabled, XG Firewall does the following:

New features Sophos XG Firewall release notes

• Won't evaluate or apply SSL/TLS decryption rules.
• Decrypts only traffic handled by the web proxy as specified in the firewall rules.
• Won't gather any SSL/TLS connection statistics. Won't update the statistics shown on the
Control center any longer.
• The DPI engine won't apply web policies to any HTTPS traffic. This applies to traffic matching
firewall rules that have a web policy specified, and haven't specified web proxy filtering.

3.1.3 SSL/TLS inspection settings
With SSL/TLS inspection settings, you can specify the default settings to enforce secure protocol
versions and occurrences.
You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after XG
Firewall intercepts, decrypts, and inspects secure traffic. You can specify the settings to drop or
reject non-decryptable traffic, which includes insecure protocol versions and occurrences, such as
SSL compression and connections that exceed the decryption capabilities of the firewall. You can
downgrade TLS 1.3 to TLS 1.2 connections if you face issues using TLS 1.3.

Tip
The settings apply to all SSL/TLS inspection rules. You can override some SSL/TLS
inspection settings by adding individual decryption profiles to inspection rules.

Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.

Re-signing certificate authorities
Specify the re-signing certificate authority for SSL/TLS connections intercepted by XG Firewall. The
decryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.
Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show a
warning and may refuse to complete the connection.

Tip
Under most circumstances, this requires the installation of copies of the certificates
in the browsers or the operating system certificate stores of the endpoint devices.
Alternatively, you can create and use signing certificates that are subordinate to an
existing trusted enterprise CA for your organization. It isn’t possible to obtain signing
certificates from CAs that are already trusted by operating systems or browsers.

Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption keys.
In most situations, certificates of one type can be signed by certificate authorities of the other,
allowing you to use the same CA for both. If you encounter problems with applications that expect
certificates of only one type, you can add an EC key and use it for re-signing certificates that were
originally signed by an EC-based authority. If you add a second CA, ensure that it is trusted by all
endpoint devices.

Sophos XG Firewall release notes New features

Name Description

Re-sign RSA with Used when the website’s certificate was signed
using RSA. You can specify an EC or RSA
certificate.

Re-sign EC with Used when the website’s certificate was signed
using EC. You can specify an EC or RSA
certificate.

Non-decryptable traffic
Specify the action for the traffic we won't decrypt, such as insecure protocol versions and
occurrences. The decryption profile attached to an SSL/TLS inspection rule can override these
actions for the rule.

Name Description

SSL 2.0 and SSL 3.0 Allowing these connections lowers security.

SSL compression Compression before encryption has known
vulnerabilities.

When SSL/TLS connections exceed limit Applies to excess traffic when volume exceeds
the decryption capability of the firewall.
To see the decryption limit, go to Control
center and select the SSL/TLS connections
widget.

Select the action for the traffic we won't decrypt:

• Allow without decryption
• Drop: Drops without notifying the source.
• Reject: Drops and sends a connection reset message to the source host.

Note
XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and
Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection
rules.
To allow these connections, create a decryption profile set to Allow without
decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't
decrypt.

New features Sophos XG Firewall release notes

TLS 1.3 compatibility
TLS 1.3 decryption
Select the action.

• Decrypt as 1.3
• Downgrade to TLS 1.2 and decrypt: Some servers and clients haven’t implemented TLS 1.3
yet. Select this option if you experience issues using TLS 1.3.

CAUTION
Attackers can exploit vulnerabilities during the downgrade. Selecting the downgrade
option applies the setting to all SSL/TLS inspection rules.

For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do
the following:
• Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS
general settings.
• Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
• Apply the block action Reject and notify specified in the decryption profile. If you apply such a
decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewall
applies the block action Reject.

Advanced settings
SSL/TLS engine: Disable the engine only when you want to troubleshoot. Once you complete
troubleshooting, enable it again.

Warning
When you disable the engine, XG Firewall won't apply SSL/TLS inspection rules, and
the DPI engine won't apply the web policy specified in firewall rules to HTTPS traffic.
However, this does not affect HTTPS decryption by the web proxy when web proxy
filtering is configured in firewall rules.

3.1.4 Add an SSL/TLS inspection rule
You can specify policy-driven inspection rules to establish inbound and outbound SSL and TLS
connections over TCP between clients and web servers and decrypt the traffic.
SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected
SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination,
users and groups, services, websites, and web categories. To take effect, the rule must find a
match in all criteria.
You can also add decryption profiles to enforce secure connections.

1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
2. Enter the general details.

Sophos XG Firewall release notes                                                       New features

        Name                               Description

        Rule name                          Type a name.

        Rule position                      Specify the position of the rule in the rule
                                           table:

                                                • Top
                                                • Bottom
                                           XG Firewall evaluates rules from the top
                                           down until it finds a match. Once it finds a
                                           match for the packet, it doesn’t evaluate
                                           subsequent rules. To change the order of the
                                           rules later, you can drag and drop the rule in
                                           the rule table.

        Action                             Select the action:

                                                • Decrypt: Establishes connection and
                                                  decrypts
                                                • Don't decrypt: Establishes the
                                                  connection and doesn’t decrypt. Use this
                                                  to create an exclusion rule.
                                                 Decryption profile restrictions also apply
                                                 to rules with action set to Don't decrypt.

                                                • Deny: Doesn’t establish connection
                                           For TLS 1.3 connections, you need to set
                                           the action to Decrypt in SSL/TLS inspection
                                           rules to do the following:
                                                • Apply the TLS compatibility setting
                                                  Downgrade to TLS 1.2 and decrypt
                                                  specified in SSL/TLS general settings.
                                                • Block certificate errors and apply the
                                                  minimum RSA key size specified in
                                                  decryption profiles.
                                                • Apply the block action Reject and
                                                  notify specified in the decryption profile.
                                                  If you apply such a decryption profile
                                                  to SSL/TLS inspection rules with Don't
                                                  decrypt or Deny action, XG Firewall
                                                  applies the block action Reject.

        Log connections                    Select to log the connections.

16                                 20200908                             Copyright © Sophos Limited

New features Sophos XG Firewall release notes

Name Description

Decryption profile Select a decryption profile or create one. You
can't edit the default profiles.
Decryption profiles override the default SSL/
TLS general settings for the re-signing CA
and action for traffic we can't decrypt. They
allow you to specify a policy-driven action for
the rule.

3. Select the source matching criteria.

Name Description

Source zones Select the zones from which traffic
originates.
You can select only internal zones, since
SSL/TLS inspection rules apply only to
outbound traffic.

Source networks and devices Select the source networks and devices or
create new ones.

Users or groups Select the source users and groups. The rule
will then apply only to traffic originating from
the specified users.

4. Select the destination and service matching criteria.

Name Description

Destination zones Select the destination zones of traffic.

Destination networks Select the destination networks or create
new ones.

Sophos XG Firewall release notes New features

Name Description

Services Select the services or create a new service.
A service is a combination of protocols and
ports.
SSL/TLS connections aren’t enforced over
UDP.

5. Specify the settings for websites and web categories.

Name Description

Categories and websites Select the web categories and websites.
To add an individual website, go to Web >
URL groups or Categories and add the
website to an existing or new object. You
can then select the object in the SSL/TLS
inspection rule.
XG Firewall identifies web categories and
websites based on the SNI (Server Name
Indication) in the SSL/TLS handshake.

Note
XG Firewall enforces SSL/TLS inspection rules and the URL groups you specify
if you have a Base License. You can configure web categories, but can't enforce
them without a Web Protection license.

6. Click Save.

3.1.5 Decryption profiles
Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.

• To clone a decryption profile, click Clone .

• To edit a decryption profile, click Edit .
You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after XG
Firewall intercepts, decrypts, and inspects secure traffic. You can also specify the action for traffic
that can't be decrypted due to issues such as insecure protocol versions, unrecognized cipher
suites, SSL compression, or connections that exceed the firewall's decryption capabilities.
You can specify the action for certificate validation errors and insecure cipher algorithms. You can
also enforce an RSA key size and SSL/TLS versions to use.

New features Sophos XG Firewall release notes

Tip
When you specify a setting in both the decyption profile and SSL/TLS inspection
settings, the settings in the decryption profile override the settings in SSL/TLS
inspection settings.

Note
You can't edit the default profiles.

The default profiles are as follows:
Maximum compatibility: Decrypts as many connections as possible. Doesn't restrict cipher usage.
Block insecure SSL: Prevents the use of weak ciphers. Allows non-decryptable traffic.
Strict compliance: Implements strict compliance. Use this to meet PCI DSS (Payment Card
Industry Data Security Standard) specifications.

3.1.6 Add a decryption profile
Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.

Warning
Android devices are known to generate SSL/TLS certificate errors, causing decryption
to fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

1. Go to Profiles > Decryption profiles and click Add.
2. Enter a name.
3. Optional Add a description.
4. Specify the re-signing certificate authority for SSL/TLS connections intercepted by XG Firewall.
Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will
show a warning and may refuse to complete the connection.

Tip
Under most circumstances, this requires the installation of copies of the
certificates in the browsers or the operating system certificate stores of the
endpoint devices. Alternatively, you can create and use signing certificates that
are subordinate to an existing trusted enterprise CA for your organization. It
isn’t possible to obtain signing certificates from CAs that are already trusted by
operating systems or browsers.

Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption
keys. In most situations, certificates of one type can be signed by certificate authorities of the
other, allowing you to use the same CA for both. If you encounter problems with applications
that expect certificates of only one type, you can add an EC key and use it for re-signing
certificates that were originally signed by an EC-based authority. If you add a second CA,
ensure that it is trusted by all endpoint devices.

Sophos XG Firewall release notes New features

Name Description

Use CAs defined in SSL/TLS settings Uses the certificate authority specified in
SSL/TLS inspection settings.

Re-sign RSA with Used when the website’s certificate was
signed using RSA.
You can specify an EC or RSA certificate.

Re-sign EC with Used when the website’s certificate was
signed using EC.
You can specify an EC or RSA certificate.

5. Specify the action for non-decryptable traffic, such as insecure protocol versions, occurrences,
and cipher suites.

Name Description

SSL 2.0 and SSL 3.0 Allowing these connections lowers security.

SSL compression Compression before encryption has known
vulnerabilities.

When SSL/TLS connections exceed limit Applies to excess traffic when volume
exceeds the decryption capability of the
firewall.
To see the decryption limit, go to
Control center and select the SSL/TLS
connections widget.

Unrecognized cipher suites Firewalls can’t decrypt traffic using
unrecognized cipher suites. Using
unrecognized cipher suites lowers security.

Action for non-decrytable traffic:

• Use SSL/TLS settings default: Applies the action specified in SSL/TLS inspection settings.
This option doesn’t apply to unrecognized cipher suites.
• Allow without decryption
• Drop: Drops without notifying the source.
• Reject: Drops and sends a connection reset message to the source host.

New features                                                                          Sophos XG Firewall release notes

                    Note
                    XG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and
                    Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection
                    rules.
                    To allow these connections, create a decryption profile set to Allow without
                    decryption. Add the profile to an SSL/TLS inspection rule with the action set to
                    Don't decrypt.

  6. Specify the certificate, protocol, and cipher enforcement details.

        Name                                               Description

        Certificate errors to block                        Select the certificate errors. XG Firewall
                                                           blocks connections that have the specified
                                                           errors.

                                                                • Invalid date
                                                                • Self-signed
                                                                • Untrusted user
                                                                • Revoked
                                                                • Name mismatch: Checks that the server
                                                                  name requested in the Client Hello
                                                                  matches the domain names represented
                                                                  by the certificate.
                                                                • Invalid for other reasons
                                                           If you created an exception for HTTPS
                                                           decryption in Web > Exceptions, XG
                                                           Firewall allows traffic with invalid certificates
                                                           if the traffic matches the exception criteria.

        Minimum RSA key size                               Select a minimum key length.
                                                           Keys less than 2048 bits are no longer
                                                           considered secure. Allow them only if it's
                                                           necessary to ensure compatibility with older
                                                           servers that can't be upgraded.

        Minimum SSL/TLS version                            Select the minimum protocol version to
                                                           allow.
                                                           Versions earlier than TLS 1.2 are no longer
                                                           considered secure. Allow them only if it's
                                                           necessary to ensure compatibility.

Copyright © Sophos Limited                         20200908                                                      21

Sophos XG Firewall release notes New features

Name Description
Maximum SSL/TLS version Select the maximum protocol version to
enforce.
To implement the latest available version,
select Maximum supported. When a
later protocol version becomes available,
XG Firewall will implement that version
automatically.

Cipher algorithms to block Select the key exchange, authentication
mechanism, bulk ciphers, and hash
algorithms to block.

Block action Select the action to apply.

• Drop: Drops without notifying the
source.
• Reject: Drops and sends a connection
reset message to the source host.
• Reject and notify: Establishes the
connection but prevents any data
transfer with the server. For HTTPS
connections, attempts to display a block
page with the error reason to the user.

For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to
do the following:
• Block certificate errors and apply the minimum RSA key size specified in decryption
profiles.
• Apply the block action Reject and notify specified in the decryption profile. If you apply
such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action,
XG Firewall applies the block action Reject.

7. Click Save.
Go to Rules and policies > SSL/TLS inspection rules and add the decryption profile to a rule to
specify the action.

3.2 Sandstorm threat intelligence analysis
Sophos Sandstorm gains an added layer of artificial intelligence protection. All suspicious files are
now subject to threat intelligence analysis in parallel with full sandbox analysis. Files are checked
against the Sophos Labs threat intelligence database and subjected to our industry-leading deep
learning. This identifies new and unknown malware quickly and efficiently, often rendering a verdict
in seconds, to stop the latest zero-day threats before they get on the network.

New features Sophos XG Firewall release notes

3.2.1 Threat intelligence widget improvements
The Threat intelligence, formally shown as Sandstorm, widget on the dashboard now shows
new files, incidents and total scanned files to give a clearer picture of threats seen by Sophos
Sandstorm.

3.2.2 Threat intelligence reporting changes
The Threat intelligence report has been improved to give greater insight into threats seen on the
network.
Threat intelligence uses multiple different analysis techniques and combines these to determine if a
file is likely to be malicious or not. This gives you more information and helps reduce false positive
detections. You can also view the analysis, release status, report details and release files or emails.

• To view details of a scan, hover over the detection status of an entry. This shows a brief
overview detailing the threat result at each stage of Sandstorm processing. To view the full
report, select View report.

• To filter the results, click Filter and specify criteria.

• To view the details of Sandstorm analysis, select the more options button, , and then select
Show report.
• To release a file or email message, click Release now.
When you release a file, users can download it immediately. Only files that are currently being
analyzed or that have been returned with error status are eligible for release. Sandstorm continues
to analyze the file even if you release it.

CAUTION
Releasing an item before the analysis is complete may result in the downloading of
malicious content.

Reports contain the following information:

Download For example, the source, download time, and users who downloaded the file.
details

Analysis Shows the overall Sandstorm result of the file. Files can be classified as clean,
summary likely clean, suspicious, malicious, or PUA (Potentially Unwanted Application). You
can also see an overview of the main file details.

Machine Shows the overall machine learning result, file feature analysis, feature combination
learning analysis and the file structure analysis.
analysis

Reputation The result of this analysis is based on how widely-seen the file is.
analysis

Sophos XG Firewall release notes New features

Sandstorm Shows the activities the file carries out, screenshots of the file being run in
detonation Sandstorm, details of the processes the file uses and the registry activity
results generated.

Full file Shows full details of the file. This section contains details of the file signatures and
analysis any certificates used, the resources called, imports carried out, such as DLLs used
and any export functionality.

VirusTotal Shows how many reports for the specific threat are currently shown in the
report VirusTotal database and the number of malware detection products that currently
detect the file.

3.3 Sophos Central Firewall Reporting and
Management
This release includes support for new firewall reporting and management capabilities being
launched simultaneously on Sophos Central including a rich powerful new reporting suite and group
firewall management tools.
Go to Central synchronization.

Sophos Central services
From XG Firewall, you can turn on centralized reporting, management, and configuration backup in
Sophos Central. To use this feature, register this firewall with Sophos Central.
After turning on the services, a Super admin must take action in Sophos Central to activate these
services.

Name Description

Sophos Central Turn it on to configure centralized reporting, management, and
services configuration backup of this XG Firewall from Sophos Central.
In Sophos Central, select Global settings. Under Administration,
select Registered firewall appliances to see the list of registered
appliances.

Use Sophos Central Select to turn on centralized reporting.
reporting
In Sophos Central, go to Firewall management > Firewalls. Go to the
firewall and select Accept services.

Use Sophos Central Select to turn on centralized management.
management
In Sophos Central, go to Firewall management > Firewalls. Go to the
firewall and select Accept services.

New features                                                                   Sophos XG Firewall release notes

  Name                       Description

  Send configuration         If you've selected Use Sophos Central management, select this to
  backup to Sophos           save configuration backups in Sophos Central.
  Central
                             In Sophos Central, go to Firewall management > Backup. Specify a
                             backup schedule or generate the backup.

For details of centralized reporting and management, go to Sophos Central help.

3.4            NAT Enhancements
XG Firewall’s NAT configuration receives a major update as NAT rules are now decoupled from
Firewall Rules enabling more powerful and flexible configuration options including Source (SNAT)
and Destination (DNAT) in a single rule. NAT Rules can still be “snapped-in” to a Firewall Rule and
edited in-place similar to other snap-in policies such as IPS and Web policies.

3.4.1 NAT rules
With Network Address Translation (NAT), you can modify the IP addresses and ports of traffic
flowing between networks, generally between a trusted and an untrusted network.
It translates private IP addresses into public IP addresses, allowing private IP networks to connect
to the internet and hiding the internal network behind the public IP address.
You can create source NAT (SNAT) and destination NAT (DNAT) rules to enable traffic flow
between private and public networks by translating non-routable, private IP addresses to routable,
public IP addresses. You can create NAT rules for IPv4 and IPv6 networks.
You can specify loopback and reflexive rules for a destination NAT rule. These rules remain
independent of the original rule from which they’ve been created. Changing or deleting the original
NAT rule doesn’t affect them.
Linked NAT rules are SNAT rules and are created from firewall rules. XG Firewall automatically
adds a linked NAT rule to match traffic for email MTA mode.
To allow traffic flow between overlapping local subnets, you need to configure NAT over policy-
based IPsec VPN on VPN > IPsec connections. For details, go to knowledge base article 123356.

    • To add a NAT rule manually, select Add NAT rule and then select New NAT rule.
    • To create destination NAT rules and the related firewall rules automatically, select Add NAT
      rule and then select Server access assistant (DNAT).

Server access assistant (DNAT)
Use this to create DNAT rules to translate incoming traffic to servers, such as web, mail, SSH, or
other servers, and to access remote desktops. The assistant also creates a reflexive SNAT rule (for
outbound traffic from the servers), a loopback rule (for internal users accessing the servers), and a
firewall rule (to allow inbound traffic to the servers) automatically.

Rule table actions
    • To see IPv4 or IPv6 rules in the rule table, select IPv4 or IPv6.

Copyright © Sophos Limited                       20200908                                                 25

Sophos XG Firewall release notes New features

• To hide or show the rule filter, select Disable filter and Enable filter respectively.
• To reset the rule filter, select Reset filter.
• To turn off rules, select the rules and then select Disable.
• To delete rules, select the rules and then select Delete.
• To change the sequence of a rule, drag and drop the Rule handle button . XG Firewall
evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it
doesn’t evaluate subsequent rules. So, position the specific rules above the less specific rules.

Click More options to specify the following actions:

• To turn on or turn off a rule, select the switch.
• To edit or delete a rule, select the action.
• To add a rule next to an existing rule, select the action.
• To unlink a rule from the firewall rule, select Unlink rule.
• To reset the number of times a rule was in use, select Reset usage count. This is useful when
troubleshooting.

Firewall rules and NAT rules
Firewall rules allow or drop traffic entering and exiting the network. NAT rules translate IP
addresses for traffic the firewall rule allows. So, you must create firewall rules even when you have
NAT rules.
If XG Firewall doesn't find a firewall rule that matches the traffic criteria, it drops the traffic and logs
the event. If it doesn't find a matching NAT rule, it allows the traffic to flow but doesn't translate the
IP address.
For NAT rules, the matching criteria are the original (pre-NAT) source, destination, and service, and
the inbound and outbound interfaces. The order in which XG Firewall looks up and applies NAT and
firewall rules is as follows:
• Outgoing traffic: XG Firewall applies the firewall rule first and then the SNAT rule.
• Incoming traffic: XG Firewall looks up the DNAT rule first to determine the translated (post-
NAT) destination. It then matches the firewall rule based on the source and destination zones,
source and destination networks, services, and schedule. For the destination zone, it uses the
zone to which the translated (post-NAT) destination belongs.
Example: For traffic from the WAN or the LAN zones to your web server in the DMZ, you can
create a DNAT rule to translate your public IP address (original destination) to the web server's
IP address (translated destination).
When packets arrive, XG Firewall looks up the DNAT rule. It identifies the zone containing the
translated destination that you specified. In this example, it identifies DMZ as the destination
zone.
So, to create a firewall rule matching this traffic, you must set the destination zone to DMZ.
For an example of how to create a DNAT rule and the corresponding firewall rule, see the
related link on this page: Create DNAT and firewall rules for internal servers.

New features                                                                      Sophos XG Firewall release notes

Source NAT
You can create source NAT rules for outgoing traffic to enable internal clients and servers to access
external hosts. XG Firewall implements one-to-one, many-to-one, and many-to-many translation.
Some of these involve port address translation.
You can also define interface-specific NAT to translate the IP addresses of one or more internal
hosts to the IP address you specify for an outbound interface.
You can’t create a source NAT rule using a public interface that’s a bridge member because bridge
members don’t belong to a zone. If you configure a public interface as a bridge member, source
NAT rules using the interface are deleted.

Destination NAT
You can create destination NAT rules for incoming traffic to enable external hosts to access internal
clients and servers. You can specify one-to-one, many-to-one, many-to-many, and one-to-many
translation from your public IP addresses to private IP addresses.
You can also specify a load balancing method and health check for the translated destination hosts,
for example, web or email servers.

Service translation
XG Firewall implements port forwarding with service translation. Services are a combination of
protocols and ports. The translated protocol must match the original protocol.
XG Firewall implements one-to-one, many-to-one, and many-to-many translation. For many-to-
many translation, the ports for the original and translated services must be equal in number.

               Note
               The web admin console of XG Firewall and the user portal are accessible over HTTPS
               through the default ports 4444 and 443 respectively. If your public IP addresses are
               configured with HTTPS port forwarding to internal web servers, go to Administration
               > Admin settings and specify unused ports for the Admin console HTTPS port
               and the User portal HTTPS port. Alternatively, specify a different port for your web
               servers.

Loopback rules
You can create loopback rules from destination NAT rules to allow internal hosts to communicate
with other internal hosts over the external IP address or the domain name. For example, create a
destination NAT rule to translate incoming traffic to your servers and create a loopback rule.
To create a loopback rule, specify the following destination NAT rule criteria:

    • Original source: Any
    • Translated source: Original
    • Translated destination: Don’t set to original.

Reflexive rules
You can create a mirror NAT rule for destination NAT rules. It reverses the matching criteria of
the destination rule. For example, create a destination NAT rule to translate incoming traffic to
an internal server. The corresponding reflexive rule will allow traffic from the server to the source
specified in the destination NAT rule.

Copyright © Sophos Limited                       20200908                                                    27

Sophos XG Firewall release notes New features

If the original destination isn’t an IP address or is translated, the translated source is masqueraded.

Linked NAT rules
You can create linked NAT rules when you create firewall rules. These are SNAT rules and appear
in the NAT rule table.
XG Firewall introduced linked NAT rules in 18.0 to ensure a smooth migration from earlier versions
in which the NAT configuration was part of the firewall rule.
All the matching criteria of a firewall rule, including users and schedule, apply to its linked NAT rule.
You can't edit these settings in the NAT rule. You can only specify the translated sources, including
interface-specific translated sources in a linked NAT rule.
XG Firewall matches linked NAT rules only with traffic related to the firewall rule to which it's linked.
However, if it finds a match with a rule above the linked NAT rule, it applies the first rule's settings.

Tip
We recommend that you don't create new linked NAT rules when a generic NAT rule
matches the traffic. Create NAT rules independently to simplify your configuration
because you need fewer NAT rules than firewall rules. For example, you may only
need a single SNAT rule to masquerade outgoing traffic in a simple environment. You
don't need to create an SNAT rule for each firewall rule.

Migrated NAT configurations
When you migrate from an earlier version to SFOS 18.0, XG Firewall migrates the NAT settings of
firewall rules as NAT rules and lists them in the NAT rule table. You can't define a gateway-based
NAT configuration any longer.
Source NAT settings are migrated as linked NAT rules. These rules are linked to the original firewall
rule. You can identify these by the firewall rule ID and name in the NAT rule table.
Destination NAT settings are migrated as independent NAT rules and aren’t linked to a firewall rule.

Pre-migration rules Post-migration rules

User/Network rules Source or destination NAT rules based on the
pre-migration criteria.

Email clients Source NAT rules

DNAT/Full NAT/Load balancing Destination NAT rules with corresponding
firewall rules.

Email servers Destination NAT rules

NAT settings are migrated as follows:
Source NAT (SNAT) rules:

• Masqueraded and translated source addresses are migrated as they are.

You can also read