Sophos XG Firewall 17 - What is new or has everything changed?

Sophos has recently released a new version of their firmware for the XG Firewalls. We would like to give you an overview of the new features and changes.

Initial setup wizard

A new initial setup wizard makes setup quick and easy. In addition to a new user-friendly setup wizard, the new process also allows you to bypass the initial licence registration process during initial setup. The wizard has been carefully crafted to provide maximum support to new XG Firewall customers without the need for documentation. At the same time, experienced users can go through the setup process quickly and efficiently. It also includes an option to upgrade the firmware to the latest version as part of the setup process, ensuring customers have the latest and greatest firmware at deployment.

Synchronised app control widget

A new widget in the Control Centre from the mapping of the new Synchronised App Control feature shows at a glance the unidentified apps that have been detected.

Instructions

A new option provides one-click access to the XG Firewall How-to library at the top of every screen, with videos and tutorials on how to perform common tasks in XG Firewall.

Synchronised App Control

Synchronised App Control is a breakthrough in network visibility. It can identify, classify and control applications previously active on the network and unknown applications using synchronised security to obtain information from the endpoint about applications that do not have signatures or use generic HTTP or HTTPS connections. This solves a significant problem affecting signature-based app control on all firewalls today, where many apps are classified as "unknown", "unclassified", "generic HTTP" or "SSL", for example.
XG Firewall can now uniquely identify all apps used on Sophos endpoints. Where possible, XG Firewall automatically classifies the application and manages it using existing app control policies. Administrators can also manually assign categories to detected applications to enable app control enforcement. This is hugely useful as it allows the application to be blocked or prioritised as required. Detected apps can also be added directly to existing app control policies.

Web Keyword Monitoring and Enforcement

Web policies now include the option to log and monitor or even enforce keyword list policies.
Keyword libraries can be uploaded to the firewall as additional criteria and applied to all web filtering policies. This is done with actions to log and monitor or block search results or websites with the relevant keywords.

IPS policy enhancements and smart filters

Creating custom IPS policies is greatly simplified by a powerful but intuitive new policy editor that allows quick and easy selection of desired IPS patterns by category, severity, platform and target type, with support for persistent smart filter lists.
For example, an IPS policy specifically designed to protect Linux servers and devices can be created simply by selecting 'Linux' for the 'Platform'. As new patterns are added to address newly discovered vulnerabilities in Linux, the firewall automatically protects Linux devices.

Web filtering enhancements

As part of Web Protection, an option is now available to prevent potentially unwanted applications from being downloaded.
SafeSearch enforcement has been enhanced for Bing, Google and YouTube (restricted mode) to use a DNS enforcement mechanism. This now allows enforcement during SSL-encrypted browser sessions, even if HTTPS is not decrypted.
End-user block pages have a new design and additional details, allowing users and administrators to better understand the reasons for blocked content.

Firewall rule management

Firewall rule management is more powerful and efficient in version 17, making it easier to work with firewall rules. This is particularly noticeable in environments with a large number of firewall rules.
Firewall rules are now more compact and provide more information at a glance - more than twice as many rules can now be displayed at once. Rules can now be easily grouped and merged, expanded and moved as a single object.

Firewall rule and policy test simulator

A brand new feature in XG Firewall v17 is the new Firewall Rule and Policy Test Simulator, which enables instant and effortless simulation of firewall rules and web filtering policies based on user, protocol, source, destination and time of day. This tool provides a quick and easy way to verify that a policy or rule is working as expected. This can be a valuable troubleshooting tool when users or traffic are blocked unexpectedly.
The results of the policy or rule simulation test indicate whether traffic is allowed or blocked and specify the rule or web policy for the traffic to be controlled.

IKEv2 Support

IPSec VPN connections now support Internet Key Exchange (IKE) v2, enabling better interoperability with other systems. An IKEv2 IPsec profile is included for convenience and enables quick setup of IKEv2 IPsec VPN connections.

VPN user interface enhancements

Both the IPsec profile configuration and IPsec connection setup screens have been enhanced with a more intuitive layout and automatic field validation checking to streamline setup and reduce errors.

Greylisting

Block more spam at the gateway with greylisting. Since most spam and viruses only attempt to deliver a message once, Greylisting temporarily denies the first attempt and tells the sending mail server to try again. On the next attempt, the message is accepted and scanned as usual. If a mail server passes this test enough times, it is automatically added to the whitelist. Alternatively, the administrator can update whitelist records manually or use built-in presets for common senders.

Recipient verification

Reduce the email processing load on the XG firewall and notify senders, including customers and valued partners, with an immediate response when an incorrect email address is entered. Recipient validation allows XG Firewall to query the recipient's directory service via SMTP to verify that a valid mailbox exists. If this is the case, the message is processed as usual for spam and viruses. Otherwise, the email is rejected and a response is sent to the sender.

Microsoft Azure High Availability

Microsoft Azure offers flexibility and global scalability that provides customers with immediate redundancy and business continuity benefits. In version 17, customers can benefit from these features by implementing XG in high availability scenarios in Azure.