trueNetLab ⚡️
Sophos Firewall v21.5: New Features for Your Network Security

Sophos Firewall v21.5: New Features for Your Network Security


network sophos

Introduction

In this post we explore the latest updates in Sophos Firewall v21.5, the release that strengthens your network security while giving you the advanced threat-detection features you’ve come to expect. Let’s dive in!

Entra ID Single Sign-On: Seamless VPN access (Windows only)

What’s new?

The Entra ID SSO integration is a major win for organisations that rely on Microsoft 365. It streamlines VPN log-ins and adds security with multi-factor authentication (MFA).

How does it work?

Sophos Firewall v21.5 uses OAuth 2.0 and OpenID Connect so users can sign in with their Entra ID accounts—especially handy in hybrid Microsoft 365 environments.

Configuration

Enabling Entra ID SSO in SFOS v21.5 involves a few steps, but it’s straightforward if you follow the details:

  1. Set up the authentication server: Go to Authentication > Servers. You’ll find a full guide in the Sophos documentation (Microsoft Entra ID Server).
  2. Register callback URLs: Add the VPN portal and Remote Access URLs as callback URLs in Azure to ensure secure communications.
  3. Import the provisioning file: Sophos Connect needs a provisioning file that contains the gateway name. Example:
[
  {
    "gateway": "vpn.example.com",
    "vpn_portal_port": 443,
    "check_remote_availability": false
  }
]
  • gateway — must exactly match the callback URL in Azure or the connection fails.
  • vpn_portal_port — default HTTPS port 443 for secure traffic.
  • check_remote_availability — skips reachability checks, useful when connectivity is unreliable.

Migration: Upgrading from an older SFOS release that used Azure AD SSO? Don’t forget to add the VPN-portal callback URI manually in Azure.

For a visual walkthrough, watch the official demo (Entra ID SSO Demo):

Benefits

  • User-friendly: No separate VPN credentials—ideal for Microsoft 365 environments.
  • Secure: MFA and token-based authentication protect against identity theft.
  • Efficient: Less admin overhead managing passwords.

Drawbacks

Unfortunately Entra ID SSO in SFOS v21.5 is Windows-only—a real drawback in mixed environments. Sophos says macOS support is coming, but for now this is a clear limitation.

Competitors are ahead: Cisco Secure Client and Fortinet FortiClient already offer Azure AD SSO on all major platforms. Sophos needs to catch up.

Additional weaknesses:

  • Limited flexibility: The VPN portal, SSL VPN and IPsec must all use the same Entra ID SSO server.
  • Occasional bugs: Some authentication errors are still reported and should be fixed in Sophos Connect 2.4.
  • Documentation: The guide could be more detailed, especially for complex hybrid setups.

NDR Essentials: Advanced threat detection

What is it?

NDR Essentials is a cloud-based Network Detection & Response service that monitors traffic and spots threats without impacting firewall performance.

How does it work?

SFOS v21.5 extracts metadata from TLS-encrypted traffic and sends it to the Sophos Intellix Cloud, where two AI engines analyse it:

  • Encrypted Payload Analysis (EPA) — detects anomalies in encrypted traffic patterns with no decryption required.
  • DGA detection — finds dynamically generated domains often used for malware command-and-control.

The cloud architecture off-loads analysis from the firewall and allows models to update continuously. Allow-listing isn’t available yet—false-positives are already rare, but the feature would be useful later.

NDR Essentials vs. full version

NDR Essentials is a “lite” edition focused on gateway traffic. The full NDR service also examines east-west traffic and internal threats—areas Essentials doesn’t cover.

Setup

Activation is as simple as you’d expect from Sophos:

  1. Navigate to Active Threat Response > NDR Essentials.
  2. Enable the feature and select interfaces (for example, your WAN links).

Detailed instructions are in the docs (NDR Essentials) or in the demo video:

Sophos Firewall v21.5 - NDR Essentials Settings

Advantages

  • Performance-neutral: Analysis happens in the cloud, sparing firewall resources.
  • Free: Included for Xstream Protection customers.
  • Effective: Detects threats in encrypted traffic without decryption.

Drawbacks

NDR Essentials is restricted to XGS hardware and doesn’t run on virtual or cloud devices. Coverage of south-north traffic is also narrower than with full NDR solutions.

Competitors such as Palo Alto Networks offer broader coverage and deeper integration, but hardware restrictions remain the main downside here.

RequirementDetails
LicenceXstream Protection Bundle
HardwareXGS hardware only; no virtual or cloud appliances
Supported interfacesPhysical, VLAN, LAG, Bridge (LAN/DMZ zones)
Unsupported modesHA Active-Active

More features in Sophos Firewall v21.5

VPN and scalability improvements

SFOS v21.5 refines VPN functionality:

  • Clearer labels: “Site-to-Site” is now policy-based, and tunnel interfaces are route-based, reducing confusion.
  • IP Lease-pool validation: Prevents address conflicts in SSL VPN, IPsec, L2TP and PPTP.
  • Stricter IPsec enforcement: Minimises tunnel-setup errors.
  • Higher capacity: Up to 3 000 route-based VPN tunnels and 1 000 site-to-site RED tunnels with 650 SD-RED devices—ideal for global networks.

Critique: Documentation on tunnel capacity could be more detailed—Fortinet provides far more comprehensive guides.

Sophos DNS Protection

Free for Xstream Protection customers and updated in v21.5:

  • Control-Center widget — quick status view.
  • Improved troubleshooting — new logs and alerts.
  • Guided setup — step-by-step wizard.

Logging could still be richer. Cisco Umbrella delivers deeper DNS analytics—but at a price.

Management improvements

The UI has been streamlined:

  • Resizable table columns: Widths (e.g. SD-WAN, NAT) can be adjusted and persist.
  • Enhanced search: Free-text search in SD-WAN routes and ACL rules—look for 192.168.1.0 or “Domain xyz.”
  • Default configuration: No default firewall rules—defaults to None, boosting security but demanding more from newcomers.
  • New font: Improves readability.

UI-speed criticism

Despite these changes, the interface still feels slow with large rule-sets. Sophos urgently needs to optimise to match its rivals.

Other technical enhancements

  • WAF file-size limit: Configurable up to 1 GB—handy for media companies.
  • Security telemetry: Real-time monitoring of OS-file changes via hash validation.
  • DHCP improvements: IPv6 prefixes /48–/64 supported—better ISP compatibility.
  • Path MTU Discovery: Fixes TLS decryption errors with ML-KEM.
  • NAT64: Enables IPv6-to-IPv4 traffic in explicit-proxy mode, but functionality is limited; Cisco offers more flexible options.
FeatureDetails
WAF file-size limitConfigurable up to 1 GB
Security telemetryReal-time monitoring of OS-file changes
DHCP improvementsIPv6 prefixes /48–/64, RA/DHCPv6 enabled
Path MTU DiscoveryFixes TLS-decryption errors with ML-KEM
NAT64IPv6-to-IPv4 in explicit-proxy mode

Licensing changes

Although not new to Sophos Firewall v21.5, it’s worth noting that Sophos has lifted the vCPU limits for virtual, software and cloud licences. Licences are now tied to CPU cores, giving much more flexibility in cloud environments (Sophos Licensing Update).

Final words

Sophos Firewall v21.5 gives you, the IT admin, powerful new tools to secure and scale your network. Got questions? Drop them in the Sophos Community. Stay tuned for more updates on TrueNetLab!

Until next update, Joe

© 2025 trueNetLab