Sophos Firewall v21.5: New Features for Your Network Security

Introduction

In this post, we explore the latest updates in Sophos Firewall v21.5, which strengthen your network security and simplify administration. As an IT admin, you will especially appreciate the Entra ID Single Sign-On (SSO) integration for VPN access and NDR Essentials for cloud-based threat detection. Let’s dive in!

Entra ID Single Sign-On: Seamless VPN Access (Windows Only)

What does it bring?

The Entra ID SSO integration is a real win for companies that use Microsoft Entra ID (formerly Azure AD). It allows users to sign in to the VPN portal or the Sophos Connect Client (version 2.4 or later) with their existing Entra ID credentials, without managing separate VPN passwords. That saves time, reduces password fatigue, and improves security through multi-factor authentication (MFA).

How does it work?

Sophos Firewall v21.5 uses OAuth 2.0 and OpenID Connect for secure, token-based authentication. These modern protocols are more robust than older standards such as SAML or Kerberos because they reduce the risk of password theft. Users select the SSO option in the VPN portal or Sophos Connect Client, and if they are already signed in to Entra ID, authentication happens automatically. MFA adds another layer of security, which is especially useful in hybrid Microsoft 365 environments.

Configuration

Setting up Entra ID SSO in SFOS v21.5 requires a few steps, but it is manageable if you pay attention to the details:

1. Set up authentication server: Configure an authentication server in Sophos Firewall with the Azure Application ID. A detailed guide is available in the Sophos documentation (Microsoft Entra ID Server).
2. Register callback URLs: Add the VPN portal and remote access URLs as callback URLs in Azure to ensure secure communication.
3. Import provisioning file: For the Sophos Connect Client, import a provisioning file that contains the gateway name. Here is an example:

[
  {
    "gateway": "vpn.example.com",
    "vpn_portal_port": 443,
    "check_remote_availability": false
  }
]

• gateway: Must match the callback URL in Azure exactly, otherwise the connection fails.
• vpn_portal_port: Default HTTPS port 443 for secure communication.
• check_remote_availability: Skips the gateway availability check, useful in environments with unreliable connectivity.

Migration: If you are migrating from an older SFOS version with Azure AD SSO, Sophos Firewall v21.5 automatically enables SSO, but you must manually add the callback URI for the VPN portal in Azure.

For a visual guide, watch the official video (Entra ID SSO Demo).

https://www.youtube.com/watch?v=Z-HFzPhq54c&t

Benefits

• User-friendly: No separate VPN credentials, ideal for Microsoft 365 environments.
• Security: MFA and token-based authentication protect against identity theft.
• Efficiency: Less administrative overhead for passwords.

Criticism

Unfortunately, Entra ID SSO in SFOS v21.5 is only available for Windows-based Sophos Connect Clients. If you have macOS users in your network, they are left out for now, which is a major setback, especially in mixed environments where Macs are common. Sophos is chronically behind on macOS updates, and while Windows users get the benefits of SSO, macOS users must rely on native IPsec configurations or tools such as Tunnelblick. That is cumbersome and worsens the user experience. Sophos has signaled interest in future macOS support, but until then this is a clear disadvantage.

Competitors compare better here: Cisco Secure Client supports SSO with Azure AD on macOS (Cisco Secure Client), and Fortinet offers similar functionality for both platforms with FortiClient (Fortinet FortiClient). Sophos urgently needs to catch up.

Additional weaknesses:

• Limited flexibility: VPN portal, SSL VPN, and IPsec must use the same Entra ID SSO server.
• Occasional errors: There are reports of authentication errors during reconnects that should be fixed in general availability (Sophos Connect 2.4).
• Documentation: The guides could be more detailed, especially for complex hybrid setups.

NDR Essentials: Advanced Threat Detection

What is it?

NDR Essentials is a cloud-based Network Detection and Response (NDR) solution integrated into Sophos Firewall v21.5 and available free of charge for Xstream Protection customers. It uses AI to detect threats such as command-and-control (C2) communication or dynamically generated domains (DGAs) in encrypted traffic without impacting firewall performance.

How does it work?

SFOS v21.5 extracts metadata from TLS-encrypted traffic and DNS queries and sends it to the Sophos Intellix Cloud. There, two AI engines analyze the data:

• Encrypted Payload Analysis (EPA): Detects anomalies in encrypted traffic through pattern recognition, without decryption.
• DGA detection: Identifies dynamically generated domains, which malware often uses for C2.

The cloud architecture relieves the firewall and enables continuous updates to the AI models. Detected threats receive a score from 1 (low) to 10 (high) and are logged in the firewall. There is currently no automatic blocking, which may minimize false positives, but would be useful in the future.

NDR Essentials vs. full version

NDR Essentials is a “lite” version focused on gateway traffic (north-south). The full version of Sophos NDR (Sophos NDR) offers broader monitoring, including internal traffic (east-west), and is available as a virtual appliance or on certified hardware. It supports up to 40 Gbps and 120,000 connections per second, making it ideal for large enterprises. It also provides detailed visibility into unprotected devices, IoT assets, and internal threats, which NDR Essentials does not.

Setup

Activation is simple, as you would expect from Sophos.

1. Navigate to Active Threat Response > NDR Essentials.
2. Enable the feature and select interfaces (for example, WAN interfaces).
3. Set the minimum threat score (recommendation: 9-10).

Detections are visible in the Control Center, Log Viewer, and Sophos Central. For tests, use the Sophos test environment (Sophos Test) to simulate attack behavior.

Detailed instructions are available in the documentation (NDR Essentials) or in the demo video (NDR Essentials Demo).

Benefits

• Performance-neutral: Cloud-based analysis protects firewall resources.
• Free: Included for Xstream Protection customers.
• Effective detection: Finds threats in encrypted traffic without decryption.

Criticism

NDR Essentials is limited to XGS hardware and does not support virtual or cloud deployments, nor HA active-active mode. That restricts deployment options, especially for companies with cloud or high-availability setups. Its focus on north-south traffic is also less comprehensive than full NDR solutions.

Competitors such as Palo Alto Networks compare better, as their NGFWs offer broader NDR capabilities for east-west traffic (Palo Alto NDR). Fortinet’s FortiNDR is also more flexible, but often involves additional license costs (Fortinet FortiNDR). Sophos scores with free integration, but the hardware restrictions are a disadvantage.

More Features in Sophos Firewall v21.5

VPN and scalability improvements

SFOS v21.5 optimizes VPN functionality:

• Clearer labels: “Site-to-Site” is now “policy-based”, and tunnel interfaces are now “route-based”, which reduces confusion.
• IP lease pool validation: Prevents address conflicts with SSL VPN, IPsec, L2TP, and PPTP.
• Strict IPsec enforcement: Minimizes tunnel establishment errors.
• Increased capacity: Up to 3,000 route-based VPN tunnels and 1,000 site-to-site RED tunnels with 650 SD-RED devices, ideal for global networks.

Criticism: Documentation on tunnel capacities could be more detailed. Fortinet offers more comprehensive guides here (Fortinet VPN).

Sophos DNS Protection

Free for Xstream Protection customers, with updates in Sophos Firewall v21.5:

• Control Center widget: Quick status overview.
• Improved troubleshooting: New logs and notifications.
• Guided setup: Step-by-step wizard.

However, the logging capabilities could be more detailed. Cisco Umbrella offers broader DNS analytics, though as a paid product (Cisco Umbrella).

Management improvements

The user interface has been optimized:

• Customizable table columns: Column widths (for example, SD-WAN, NAT) can be adjusted and remain saved.
• Enhanced search: Free-text search in SD-WAN routes and ACL rules, for example for “192.168.1.0” or “Domain xyz”.
• Default configuration: No default firewall rules anymore, default action set to “None”, which improves security but challenges newcomers.
• New font: Improves readability.

Criticism of UI speed

Despite these improvements, the SFOS v21.5 user interface remains sluggish, especially when saving firewall rules and WAF settings. I had hoped that Sophos would significantly improve performance, but it feels as if the UI technology is stuck at the level of 2019. Saving WAF rules is painfully slow, and responsiveness is not at the level of modern web interfaces. By comparison, Fortinet and Palo Alto Networks offer faster, more responsive UIs that do not slow down the workflow (Fortinet FortiGate, Palo Alto NGFW). Sophos urgently needs to improve here to keep up with the competition.

Additional technical improvements

• WAF file size limit: Configurable up to 1 GB, useful for media companies.
• Security telemetry: Real-time monitoring of OS file changes through hash validation.
• DHCP improvements: Supports IPv6 prefixes from /48 to /64, improving ISP compatibility.
• Path MTU Discovery: Fixes TLS decryption errors with ML-KEM.
• NAT64: Enables IPv6-to-IPv4 traffic in proxy mode, but with limitations. Cisco offers more flexible NAT64 options (Cisco NAT64).

Licensing changes

Although not new in Sophos Firewall v21.5, it is worth mentioning that Sophos has removed RAM restrictions for virtual, software, and cloud licenses. Licenses are now limited by CPU cores, which increases flexibility in cloud environments (Sophos license update).

Final Words

Sophos Firewall v21.5 gives you, as an IT admin, powerful tools such as Entra ID SSO and NDR Essentials that improve your network security and user management. The updates to VPN, DNS protection, and management make SFOS v21.5 a solid upgrade, especially for SMBs with Xstream Protection. But the missing macOS support, hardware restrictions for NDR Essentials, and sluggish user interface are weaknesses that put Sophos behind Cisco, Fortinet, or Palo Alto in some areas. I recommend testing the Early Access version (EAP registration) and sharing your feedback in the Sophos Community (Sophos Community). Stay tuned for more updates on TrueNetLab!

Until next update,
Joe