XG Firewall v18 MR1 is now rolling out globally, bringing new levels of visibility, protection, and performance to your firewall. When the notification for the latest firmware update appears in the console, we strongly encourage everyone to take advantage of the easy process to upgrade. It’s just a few clicks.
XG Firewall can scan all web traffic for malicious code and downloaded files. We strongly recommend that you take advantage of SophosLabs Threat Intelligence and Sophos Sandstorm sandboxing to further analyze files. To do so, simply check the option to “ Detect zero-day threats with Sandstorm ” for all rules governing web traffic. Sophos XG Firewall brings a fresh new approach to the way you manage your firewall, respond to threats, and monitor what’s happening on your network.
And if you haven’t already done so, now is the time to upgrade your XG Firewall to v18.
As there are many great new features in XG Firewall v18, our blog series over the coming weeks will be highlighting the most important new capabilities, such as the new Xstream Architecture, the new zero-day threat protection, Sophos Central Management and Reporting, and how you can get the most out of them.
One of the flagship features in v18 is the new Xstream Architecture, which includes a streaming DPI engine and TLS 1.3 inspection for encrypted traffic.
How is this architecturally different to the legacy web proxy solution? Put simply, the new Xstream DPI engine is specifically designed to achieve optimal performance and connection-handling efficiency. It uses a single streaming engine that inspects traffic between a host on the network and an external server or service. This provides all the essential protection in a single pass:
By stream scanning files as they are downloaded from web servers, it can pass the content along to the end user while only holding the last portion of the file to complete the scan before either blocking the download or allowing the last packets to flow through. It does not need to hold the entire file while it’s being scanned.
And it’s FAST! How fast? Many XG Firewall customers and partners have reported that the new DPI engine and TLS inspection are anywhere from two to three times faster than before.
Unlike the Xstream DPI engine, legacy protection in XG Firewall utilizes different engines for different jobs. There’s a web proxy for inspecting and filtering web content, an IPS engine, and an application control solution.
Rather than stream scanning as traffic flows through, the web proxy acts as a relay between the client and the external server. This has an advantage when packet header modifications need to be made to support features such as SafeSearch, YouTube restrictions, or Google domain restrictions as only the legacy web proxy can support these features. In all other cases, however, it just means it’s handling more connections and doing more work.
When you upgrade your XG Firewall to v18, all your existing firewall rules will be using the legacy web proxy by default to ensure seamless upgrade compatibility. If you don’t require features like SafeSearch, YouTube restrictions, or Google domain restrictions, you should switch these firewall rules to using the new Xstream DPI engine. It requires a change to a single setting:
This setting determines if you’re using the legacy web proxy (checked) or the new Xstream DPI engine (unchecked).
By switching many of your firewall rules over to the new Xstream DPI engine, you can see a tremendous performance benefit.
Taking advantage of the new TLS inspection engine with support for TLS 1.3 is also simple to configure. It essentially requires checking one box in your firewall to activate it and then creating a rule on the new SSL/TLS Inspection Rules tab as shown below.
As with any TLS inspection solution, you will also need to deploy the appliance CA certificate to hosts on your network that you wish to inspect. We recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this quick and easy.
Your TLS rules define which TLS traffic to decrypt and the associated decryption profile governs how to handle the decryption as well as protocol and cipher enforcement. The rules are structured and work identically to how firewall rules function in a top-down hierarchy.
We recommend you start gradually with TLS encryption, with a limited sub-estate of your network or a few test systems. This will allow you to build your expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error-handling options. Not all applications and servers fully and properly support TLS inspection, so watch the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services.
Once you’re comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across your network. However, with encrypted traffic volumes now at over 80% of all internet traffic, keep in mind that TLS inspection is resource-intensive due to the nature of the decryption/encryption algorithms. Ivs laptops & desktops driver download for windows.
If your XG Firewall appliance is a few years old and already running at high load, it may be time for a hardware refresh or a new higher-performance model. Enabling TLS inspection on most of your internet traffic is now essential protection against the latest ransomware and threats as more and more hackers make use of TLS encryption to get onto networks and stay there undetected.
To learn more, the following resources are available to help you make the most of the new features in XG Firewall v18:
Last month we introduced XG Firewall v18 with the new Xstream architecture, which takes visibility, protection, and performance to extreme new levels.
It’s the biggest release ever for XG Firewall customers, but it’s also exciting news for anyone running Sophos Intercept X Endpoint.
Why, you may ask?
Well, we know that Sophos Intercept X and XG Firewall are both world class products in their own right, but they were actually designed to work better together.
The two solutions work as a synchronized security system, sharing information in real time and responding automatically to threats.
If you are already running Intercept X, adding XG Firewall not only gets you an industry-leading next-gen firewall, but also transforms your IT security and gives you tremendous benefits as part of an integrated cybersecurity ecosystem.
Adding XG Firewall to your Intercept X endpoint protection enables Synchronized Security. This provides a vital Security Heartbeat™ connection between all your Sophos endpoints and XG Firewall allowing them to communicate and share information in real-time. And it’s all managed from the Sophos Central cloud console.
It allows you to elevate your protection and put your network on autopilot, and reduces the need for day-to-day management.
When either XG Firewall or Intercept X identifies a threat, they work together to provide an automatic response with dynamic firewall rules and lateral movement protection isolating a compromised host to prevent spread, hacker communication, and data loss.
Get deeper visibility into top network risks and all networked applications to drive better security decisions, prioritize and accelerate important application traffic, and block or shape unwanted traffic.
Put your network on auto-pilot and manage it all from Sophos Central. Its streamlined cloud management platform consolidates all your alerts, reporting and policy management in one place.
Whether your existing firewall is up for replacement or not, you can easily enable Synchronized Security to your network.
Sophos XG Firewall acts as the nerve-center for synchronizing your security either as a purpose-built synchronized security appliance that works alongside your current firewall, or as an industry leading replacement for your next-gen Firewall.
If you’re already an XG Firewall customer, easily add Sophos Intercept X endpoint protection to your computers, servers, and mobile devices to unlock the full potential of your XG Firewall.
Either way, you can manage it all from a single cloud console with Sophos Central. It’s easy and risk free.