Copyright © 2023 Sophos Ltd

Sophos Firewall v20.0

Engineer Delta

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
EU80: Sophos Firewall v20.0 Engineer Delta

November 2023
Version: 20.0v1

© 2023 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Sophos Firewall v20.0 Engineer Delta - 1

Copyright © 2023 Sophos Ltd

About This Course

This course will cover the changes PREREQUISTES
between Sophos Firewall version
✓ You must be certified in Sophos Firewall Engineer
19.5 and Sophos Firewall version and any subsequent delta modules up to version
20.0 and is required to maintain your 19.5
certification.

DURATION 35 minutes

This course will cover the changes between Sophos Firewall version 19.5 and Sophos Firewall version
20.0 and is required to maintain your certification.

Sophos Firewall v20.0 Engineer Delta - 2

 Copyright © 2023 Sophos Ltd

VPN
VPN

Sophos Firewall v20.0 Engineer Delta - 4

 Copyright © 2023 Sophos Ltd

Secure VPN Portal

VPN

Sophos Firewall version 20 introduces the VPN portal, which contains the VPN-specific features that
were previously in the user portal. This includes, remote access client downloads, VPN configuration
downloads, and clientless VPN bookmarks.

The VPN portal provides a hardened, containerized portal design to give remote users in the WAN
zone access to the VPN features without needing to expose the whole user portal.

As the VPN portal is designed to be accessible in the WAN zone it has been created to be secure,
isolating it from the underlying system as much as possible, and implementing features such as
dictionary attack protection and cross-site request forgery protection (CSRF).

Sophos Firewall v20.0 Engineer Delta - 5

 Copyright © 2023 Sophos Ltd Additional information
in the notes

Secure VPN Portal and User Portal Services and Ports

VPN Portal in SFOS v20.0 User Portal in v20.0
Ports

Default port 443 4443

Port sharing with other services WAF -
SSL VPN
Features

✓
VPN

Remote access VPN downloads

IPsec automatic provisioning ✓
Clientless bookmark access ✓
OTP tokens ✓ ✓
Authentication client and SPX add-in download ✓
Internet usage ✓
Email quarantine and exceptions ✓
Policy overrides ✓
Hotspots ✓

The VPN portal will use port 443 by default, which can be shared with both the web application
firewall, and SSL VPN. The default port for the user portal is 4443.

Here you can see which features are in the VPN portal and user portal.

Review the information in this table then click Continue to proceed.

[Additional Information]
For more information, see this knowledgebase article:
https://support.sophos.com/support/s/article/KB-000045105

Sophos Firewall v20.0 Engineer Delta - 6

 Copyright © 2023 Sophos Ltd

Configuration after Upgrading to SFOS v20.0

• Current user portal port will be assigned to VPN portal

• User portal will be configured on port 4443 or 65009
VPN

• User portal device access settings will be applied to the VPN portal

• User portal authentication settings will be applied to the VPN portal

• User portal MFA settings will be applied to the VPN portal

Where a Sophos Firewall is upgraded to version 20.0, the VPN portal will be assigned to the current
user portal port, and the user portal will be configured on port 4443, or port 65009. To make the
migration easier for users, the VPN portal login will have a link to the user portal login page.

The user portal device access settings will be copied and applied to the VPN portal.

The VPN portal will also copy the authentication settings and MFA settings from the user portal.

Sophos Firewall v20.0 Engineer Delta - 7

 Copyright © 2023 Sophos Ltd

VPN Portal Port Settings

VPN

You can modify the port configuration for the VPN portal and user portal in the Admin and user
settings, where there is now an additional configuration option for setting the VPN portal port
separately to the user portal.

Sophos Firewall v20.0 Engineer Delta - 8

 Copyright © 2023 Sophos Ltd

VPN Portal Device Access

VPN

In the device access settings, you can independently configure which zones the VPN portal and user
portal are available in. With the introduction of the VPN portal, we would recommend disabling WAN
access to the user portal; you could instead make it available to only the internal zones, and optionally
also the VPN zone.

Sophos Firewall v20.0 Engineer Delta - 9

 Copyright © 2023 Sophos Ltd

VPN Portal Authentication

VPN

In the authentication services there is a new section where you can configure the authentication
servers for the VPN portal separately to the user portal, and there is a new option in multifactor
authentication to enable it for the VPN portal.

Sophos Firewall v20.0 Engineer Delta - 10

 Copyright © 2023 Sophos Ltd

High Availability IPsec Failover

High-Availability Failover
VPN

Sophos Firewall version 20 supports seamless transitioning of IPsec VPNs and stateless protocols
without losing the session to reduce network disruptions in the event of a network backbone issue.

This includes route-based IPsec VPNs, policy-based IPsec VPNs, and remote access IPsec VPNs.

Note that stateless protocols like UDP and ICMP can failover without losing the session, TCP sessions
will still experience some disruption, this will be improved in future releases of Sophos Firewall.

Sophos Firewall v20.0 Engineer Delta - 11

 Copyright © 2023 Sophos Ltd

FQDN Host Support for SSLVPN

VPN

Select FQDN host and group objects

for permitted resources

SSL VPNs now support FQDN host and group objects for defining permitted network resources. This is
for both remote access and site-to-site SSL VPNs, making the management of SSL VPNs easier.

This allows you to share resources over SSL VPN that have dynamic address allocation, without the
manual overhead of updating the IP address in the VPN policy.

Sophos Firewall v20.0 Engineer Delta - 12

 Copyright © 2023 Sophos Ltd

FQDN Host Support for SSL VPN

Sophos Firewall resolves the FQDN object to an IP address,

which is pushed to the client
VPN

Changes to the IP address will not be reflected on the client

until they reconnect

Unresolved FQDNs can cause the connection to fail

When a client connects to the VPN, Sophos Firewall resolves the FQDN object to an IP address, which
is pushed to the client. For site-to-site SSL VPNs, the DNS resolution is done by the server side of the
connection only.

If the IP address of the resource changes, the client will not be updated until they reconnect.

Note that if Sophos Firewall is unable to resolve the FQDN it can cause the connection to fail.

Sophos Firewall v20.0 Engineer Delta - 13

 Copyright © 2023 Sophos Ltd

Monitor IPsec VPN Tunnel Status with SNMP

VPN

Information MIB OID Value

Active IPSecVPNActivationStatus iso.3.6.1.4.1.2604.5.1.6.1.1.1.1.10 Inactive (0)
Active (1)
Connection IPSecVPNConnectionStatus iso.3.6.1.4.1.2604.5.1.6.1.1.1.1.9 Inactive (0)
Active (1)
partially-active ( 2 )

Sophos Firewall version 20 enhances the information that you can get about IPsec VPNs through
SNMP by providing granular details including:
• The number of connections that are active and inactive
• And the number of tunnels that are connected, disconnected, and partially connected.

An updated MIB file can be downloaded from Sophos Firewall in Administration > SNMP.

Sophos Firewall v20.0 Engineer Delta - 14

 Copyright © 2023 Sophos Ltd

Wildcard Remote Gateway for Route-Based VPN

VPN

Local and remote ID are

required when using a
wildcard remote
gateway

When you configure route-based VPNs, Sophos Firewall version 20 now supports having multiple
wildcard gateway addresses in the same way that you can for policy-based VPNs. To configure a
wildcard gateway, you must configure the local and remote ID.

Sophos Firewall v20.0 Engineer Delta - 15

 Copyright © 2023 Sophos Ltd

Unique Preshared Keys for the same Local

VPN

Prior to version 20, Sophos Firewall enforced a single preshared key for all connections that had the
same local and remote gateways configured. In version 20 you can now configure unique preshared
keys for connections that have the same local and remote gateways, but you must configure the local
and remote ID in the connection.

Sophos Firewall v20.0 Engineer Delta - 16

 Copyright © 2023 Sophos Ltd

DH Group Support
VPN

Sophos Firewall version 20 adds support for Brainpool Elliptic Curve Groups 27 to 30 (RFC 6954) to
improve interoperability, and support compliance requirements in some regions.

Sophos Firewall v20.0 Engineer Delta - 17

 Copyright © 2023 Sophos Ltd

Protection
Protection

Sophos Firewall v20.0 Engineer Delta - 18

 Copyright © 2023 Sophos Ltd

Active Threat Response

Telemetry from Sophos
products and third-party
integrations
SOPHOS SOPHOS
FIREWALL CENTRAL
DATA LAKE
FIREWALL
Protection

MANAGEMENT

Threat intelligence
SOPHOS MANAGED
DETECTION & RESPONSE

Analysts use advanced tools

SOPHOS ENDPOINT and machine learning to
identify anomalies and update
the customer’s threat feed to
block them on the Firewall

Sophos Firewall version 20 introduces Active Threat Response, which allows the MDR team to share
threat intelligence with Sophos Firewall in real-time, responding to active threats on the network
quickly and effectively.

Let’s look at how this works.

Sophos products managed through Sophos Central and third-party integrations, send telemetry to the
data lake.

The Sophos MDR team continuously analyze the data using advanced tools, machine learning, and so
forth, to identify anomalies. When an anomaly is detected, an analyst confirms the threat and sends
the threat intelligence to the Sophos Firewall where it will be blocked in all relevant subsystems;
including, firewall, DNS, IPS, web, and deep packet inspection.

Sophos Central Firewall Management provides the channel through which the MDR team can send
threat intelligence, in the form of indicators of compromise, or IoCs, to the specific customer’s
firewalls. There is no need to manually create configurations for blocking, it is all handled
automatically.

If you are using Sophos Endpoint Protection, the Sophos Firewall will not only block attempts to access
the IoC, be can also query any endpoint that tries to access the IoC for additional information;
including the executable, the process user, and the logged in user. Lateral movement protection can
also share the details of the compromised endpoint with other devices to stop it from spreading
across the network.

Sophos Firewall v20.0 Engineer Delta - 19

 Copyright © 2023 Sophos Ltd

Active Threat Response

Protection

Let’s see what this looks like in the web admin console. ‘Active threat response’ has replaced
‘Advanced protection’ in the left-hand menu.

Sophos Firewall v20.0 Engineer Delta - 20

 Copyright © 2023 Sophos Ltd

Sophos X-Ops Threat Feeds

Was ‘Advanced protection’

Protection

In the ‘Active threat response’ section are two tabs, ‘MDR threat feeds’, and ‘Sophos X-Ops threat
feeds’.

‘Sophos X-Ops threat feeds’ is the new name for ATP, Advanced Threat Protection, that better
represents the protection data provided by SophosLabs. This threat feed is updated via pattern
updates which then blocks across multiple subsystems; including firewall, DNS, IPS, and web
protection.

The only change to this tab is its name, all the configuration remains the same; however, when the
action is toggled between ‘log only’ and ‘log and drop’ this no longer requires the service to restart.

Sophos Firewall v20.0 Engineer Delta - 21

 Copyright © 2023 Sophos Ltd

MDR Threat Feeds

Protection

‘MDR threat feeds’ come directly from the MDR team and are unique to you, containing real-time
threat intelligence based on analysis of telemetry sent to the data lake from Sophos products and
third-party integrations. These indicators of compromise, IoCs, are then blocked on all relevant
subsystems.

The configuration is very similar to Sophos X-Ops threat feeds. Once enabled, you can choose whether
to only log, or log and drop traffic.

There is also a link that will take you to the log settings where you can choose whether to log locally,
to Sophos Central, or to both, and whether to suppress duplicate events.

Sophos Firewall v20.0 Engineer Delta - 22

 Copyright © 2023 Sophos Ltd

Threat Exclusions
Protection

You can create exclusions for Active threat response as you could previously for ATP, and these apply
to both MDR threat feeds and Sophos X-Ops threat feeds.

Sophos Firewall v20.0 Engineer Delta - 23

 Copyright © 2023 Sophos Ltd

MDR Threat Feed Requirements

LICENSES SOPHOS FIREWALL OPTIONAL

Sophos MDR Sophos Firewall v20.0+ Sophos NDR

Protection

Active Xstream Protection Registered to Sophos Central Sophos Endpoint Intercept X

Bundle with Firewall Management
and Central Reporting Synchronized Security
enabled enabled on Sophos Firewall

There are a few requirements for using the Sophos MDR threat feeds.

You need to have a Sophos MDR license and an active Xstream Protection Bundle for Sophos Firewall.

Sophos Firewall must be running version 20 or later and must be registered to Sophos Central with
Firewall Management and Central Reporting enabled.

Optionally, you can also use:

• Sophos NDR to provide additional telemetry that can be used to identify anomalies
• And Sophos Endpoint Intercept X and Synchronized Security enabled on Sophos Firewall to provide
lateral movement protection

Note that Intercept X licenses are included with MDR.

Sophos Firewall v20.0 Engineer Delta - 24

 Copyright © 2023 Sophos Ltd

Control Center
Protection

In the Control Center there is a new ‘Active threat response’ widget in the ‘User & device insights’
section. Here you will see detections for the MDR threat feed and Sophos X-Ops threat feeds.

Clicking on this widget will show you additional information about the detections; including, the
hostname and IP address, which threat feed the detection was from, the threat detected, executable,
and number of detections.

Sophos Firewall v20.0 Engineer Delta - 25

 Copyright © 2023 Sophos Ltd

Logs
A URL indicator blocked from the MDR threat feed Filter logs on active threat
response
Protection

A DNS indicator blocked from the MDR threat feed

In the log viewer you will find a new Active threat response log to filter on.

The first example here is a detection for a URL IoC shown in the standard view.

The second example is a DNS IoC shown in the detailed view.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 26

 Copyright © 2023 Sophos Ltd

Logs
Admin log shows when IoCs
have been added
Protection

ID for auditing IoCs added to

your MDR threat feed

In the Admin log you can see when IoCs have been added to your MDR threat feed.

If you switch to the detailed view, you can also see an audit ID that can be used if you need to
troubleshoot a detection.

Sophos Firewall v20.0 Engineer Delta - 27

 Copyright © 2023 Sophos Ltd

Reports
Protection

In the reports there is a new Active threat response category of network report.

The first part of the report provides an overview of the threat source, category, and which module
detected it.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 28

 Copyright © 2023 Sophos Ltd

Reports
Protection

Further down the page you can find details on the threat events and destinations.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 29

 Copyright © 2023 Sophos Ltd

Reports
Protection

At the bottom of the page are detailed tables for the threat events and the synchronized IoCs.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 30

 Copyright © 2023 Sophos Ltd

WAF Enhancements

HSTS and MIME-type sniffing protection

Protection

GeoIP blocking

Custom cipher configuration

Sophos Firewall version 20 includes three new enhancements to the web application firewall. These
are:
• HSTS and MIME-type sniffing protection
• GeoIP blocking
• And custom cipher configuration

Sophos Firewall v20.0 Engineer Delta - 31

 Copyright © 2023 Sophos Ltd
Network and Routing

Network and Routing

Sophos Firewall v20.0 Engineer Delta - 32

 Copyright © 2023 Sophos Ltd

Enable and Disable Interfaces

Network and Routing

In Sophos Firewall version 20 you can now enable and disable interfaces without losing interface
configuration.

This can be very useful when troubleshooting as it allows you to disable an interface while you
perform tests then easily re-enable the interface after without needing to reconfigure it.

Sophos Firewall v20.0 Engineer Delta - 33

 Copyright © 2023 Sophos Ltd

Enable and Disable Interfaces

Network and Routing

In the Control Center the interface status will show if the interface has been disabled.

Sophos Firewall v20.0 Engineer Delta - 34

 Copyright © 2023 Sophos Ltd

Enable and Disable Interfaces

Interface Type Enable/Disable Supported
Physical Yes
VLAN Yes
LAG (group) Yes
Network and Routing

Bridge Yes
Individual LAG member No
Individual Bridge member No
Alias No
Wireless WAN Yes* (can use disconnect option)
Tunnel interface (XFRM) No
Wi-Fi Yes (bridge to AP and simplified bridge are not supported)
RED Yes

Interface enable and disable is available for most interface types except for individual LAG or bridge
member interfaces, aliases, and tunnel interfaces for route-based IPsec VPNs.

Sophos Firewall v20.0 Engineer Delta - 35

 Copyright © 2023 Sophos Ltd
SFOS v19.5 MR 1

SD-WAN Routes
Network and Routing

Set the rule position top or bottom when creating

new SD-WAN routes

There are a couple of minor usability improvements to SD-WAN routes.

When you are creating a route, you can now choose the route position, either top or bottom.

Sophos Firewall v20.0 Engineer Delta - 36

 Copyright © 2023 Sophos Ltd
SFOS v19.5 MR 1

SD-WAN Routes
Network and Routing

Improved controls for moving, cloning, and adding

SD-WAN routes

On the SD-WAN routes tab there are additional controls in the ellipses menu for each route that allow
you to clone and add routes above and below the selected route.

Sophos Firewall v20.0 Engineer Delta - 37

 Copyright © 2023 Sophos Ltd

SD-WAN Gateway Limit Increase

Appliance Model Max. Gateways

Network and Routing

XGS87/87w 64 (no change)

XGS107/107w
XGS4300 2048
XGS4500
XGS5500 3072
XGS6500
XGS7500
XGS8500
All other appliances 1024 (no change)

In Sophos Firewall version 20, the SD-WAN gateway limit is now determined by the type of appliance
you have, which means that the limit can scale up for larger appliances.

You can see the new gateway limits here with the changes highlighted.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 38

 Copyright © 2023 Sophos Ltd
SFOS v19.5 MR 2

Dynamic Routing
Network and Routing

Dynamic routing now

supports 4,000 multicast
groups

The number of multicast groups now supported by dynamic routing has also increased to 4,000.

Sophos Firewall v20.0 Engineer Delta - 39

 Copyright © 2023 Sophos Ltd

BGP IPv6

BGP for IPv6 support added to existing BGP UI

Network and Routing

Up to 200 IPv6 peers and 200 IPv4 peers

BGP for IPv6 supports redistribution of OSPFv3, static, and

connected routes

IPv6 networks shared to IPv6 neighbors and IPv4 networks

shared to IPv4 neighbors by default

BGP for IPv6 support has been added and runs as a unified service with BGP for IPv4. IPv6 support as
been added to the existing BGP UI with minimal changes.

BGP on Sophos Firewall supports 200 peers for IPv6 and 200 peers for IPv4, for a total of up to 400
peers.

BGP for IPv6 supports redistribution of OSPFv3, static, and connected routes.

By default, IPv6 networks are only shared to IPv6 neighbors and IPv4 networks are only shared to IPv4
neighbors. This behavior can be changed on the command line.

Sophos Firewall v20.0 Engineer Delta - 40

 Copyright © 2023 Sophos Ltd

IPv6 DHCP Prefix Delegation

Network and Routing

Automates the IP
assignment of IPv6 prefixes
Seamlessly integrates with
to subnets, simplifying
ISP-provided DHCP-PD for
network setup and reducing
LAN networks
manual configuration
overhead

DHCP prefix delegation, or DHCPv6-PD, is a feature of DHCPv6 that allows a DHCPv6 server to delegate
a subnet prefix to a DHCPv6 client. This allows the client to assign IPv6 addresses to its own clients on
its own subnet.

DHCP prefix delegation is typically used by ISPs to assign IPv6 subnets to their customers. The
customer's router can then assign IPv6 addresses to the devices on their network.

DHCPv6-PD offers a few benefits, including:

• Scalability: DHCPv6-PD allows a single DHCPv6 server to manage a large number of IPv6 addresses.
This is because the DHCPv6 server delegates prefixes to DHCPv6 clients, which then assign IPv6
addresses to devices on their networks
• Simplicity: DHCPv6-PD is relatively simple to configure and manage. This is because it is based on
the DHCPv6 protocol, which is already widely used
• And security: DHCPv6-PD can be used to implement security features such as prefix filtering and
address reservation

Sophos Firewall v20.0 Engineer Delta - 41

 Copyright © 2023 Sophos Ltd

IPv6 DHCP Prefix Delegation

DELEGATING ROUTER (ISP) REQUESTING FIREWALL DELEGATED SUBSCRIBER

Request a prefix for my

Network and Routing

Request an IP address
local network

PortB PortA
WAN LAN

ISP Upstream Downstream

Interface Interface

Here is your prefix Downstream interface is Here is your IP address

2001:db8:0:f01::/56 configured to use 2001:db8:0:f01:7faa:11ce:95d6:bab0/64
delegated prefix and
router advertisement is
enabled

Let’s take a look at how it works.

The upstream interface, which is the WAN port, on the Sophos Firewall requests a prefix delegation
from the DHCP server.

The DHCP server provides a prefix back to Sophos Firewall.

The downstream interface on the Sophos Firewall, which will be an internal network, is configured to
use a delegated prefix from the DHCP server, and router advertisement is enabled.

Clients on the network can request an IP address from Sophos Firewall and get an address from the
prefix delegated to that interface.

Sophos Firewall v20.0 Engineer Delta - 42

 Copyright © 2023 Sophos Ltd

Azure Single Arm Deployments

CONFIGURATION

Deploy from the Azure marketplace

using the ARM template
Network and Routing

VNET
Public PortB is mapped to eth0, which is the
Subnet WAN interface

eth0 Azure will route

VNET ROUTING
traffic between
subnets in a VNET LIMITATIONS
automatically
Only the WAN zone will be supported
eth0
Not all features are supported in a
Private single-arm deployment
Subnet

The Azure Marketplace ARM template for Sophos Firewall version 20 supports single arm
deployments. This means that you can now choose smaller instance sizes for single arm deployments,
reducing infrastructure costs and network complexity.

When deployed in single arm mode, PortB is mapped to eth0, which is the WAN interface. Note that
only the WAN zone will be supported in single arm deployments.

When using Sophos Firewall in a single arm deployment, Azure can route traffic for the firewall
between the public and private subnets.

Not all Sophos Firewall features will be available in single arm deployments; for example, some web
proxy functions will not work because there is no LAN port. The following core functionality is
available in single arm deployments:
• Firewall and NAT rules for inbound and outbound traffic
• IPS
• WAF

Note that it will not be possible to migrate from dual arm to single arm deployments, and it will not be
possible to restore a backup from a dual arm deployment on a single arm deployment because of the
way the network interfaces are mapped.

Sophos Firewall v20.0 Engineer Delta - 43

 Copyright © 2023 Sophos Ltd
Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA)

Sophos Firewall v20.0 Engineer Delta - 44

 Copyright © 2023 Sophos Ltd

What is ZTNA?
Zero Trust Network Access (ZTNA)

Verify the User Validate the Device Limit Access & Privilege

********

In its most basic form, ZTNA is all about verifying the user, typically with multi-factor authentication to
prevent stolen credentials from being a source of compromise, then validating the health and
compliance of the device. Is it enrolled? Is it up to date? Is it properly protected? Is encryption
enabled? And so forth. This information is used to make decisions based on policies to determine
access and privilege to important networked applications.

Sophos Firewall v20.0 Engineer Delta - 45

 Copyright © 2023 Sophos Ltd

Why ZTNA Instead of a VPN?

Security Flexibility
Zero Trust Network Access (ZTNA)

Only allow access to specific Protect a wide range of resources

applications including cloud-based applications
and on-premises applications

Usability Efficiency
Provide a seamless user experience Only route traffic for required
applications

ZTNA is better than VPN because it is a more secure and flexible approach to remote access. VPNs
create a secure tunnel between the user's device and the corporate network, giving the user access to
all resources on the network. This can be a security risk, as it gives attackers access to the entire
network if they are able to compromise a VPN connection. ZTNA, on the other hand, implements a
zero-trust security model, which means that users are only granted access to the resources they need,
based on their identity and context. This reduces the attack surface and makes it more difficult for
attackers to gain access to sensitive data.

ZTNA is flexible as it can be used to protect a wide range of resources, including cloud-based
applications and on-premises applications. ZTNA can also be used to provide remote access to users
who are not working from a traditional corporate office.

ZTNA provides a better experience for users with a seamless workflow that doesn’t require them to
launch a VPN client.

ZTNA can also be more efficient by only routing the traffic for specific applications instead of whole
networks.

Sophos Firewall v20.0 Engineer Delta - 46

 Copyright © 2023 Sophos Ltd

Sophos ZTNA

SOPHOS CENTRAL ZTNA GATEWAY ZTNA AGENT

Zero Trust Network Access (ZTNA)

• On-premises or Sophos
Cloud • Transparent and frictionless
• Cloud-based management • Virtual machine or Sophos • Integrates identity and
• Easy ZTNA deployment Firewall device health continuously
alongside Intercept X or as • Intelligently and • Easy to deploy from Sophos
standalone continuously verifies and Central
• Granular policy controls validates access based on • Available for Windows and
• Insightful reporting policy macOS
• Log and event data shared • Mobile support to follow
with Sophos Central

Sophos ZTNA consists of three components:

• Sophos Central, to provide policy management and reporting
• ZTNA gateways, to control access
• And a ZTNA client, to authenticate the user and validate the device health

Let’s look at these in a bit more detail.

Sophos Central provides a simple cloud-based management platform. From here you can manage the
ZTNA gateways, define the applications being accessed, and configure granular policy controls.

The ZTNA gateways can be deployed on-premises or in Sophos Cloud. On-premises ZTNA gateways are
deployed as virtual machines on either ESXi, Hyper-V, or AWS. Sophos Cloud ZTNA Gateways are
deployed using a virtual machine or a Sophos Firewall.

The gateways continuously verify and validate access based on the policies defined in Sophos Central.
Log and event data from the gateways is shared with Sophos Central to provide insightful reports.

The ZTNA Agents are transparent and frictionless and can be easily deployed alongside Intercept X, or
as standalone. The client is available on Windows and macOS, with mobile support to follow.

Our ZTNA solution will make an excellent compliment to both our Endpoint and our Firewall products,
adding new capabilities and security to both.

Sophos Firewall v20.0 Engineer Delta - 47

 Copyright © 2023 Sophos Ltd

Sophos ZTNA on Sophos Cloud using Sophos Firewall

SOPHOS CENTRAL
ZTNA policy management and reporting
Zero Trust Network Access (ZTNA)

CLOUD APPLICATIONS

ZTNA USING
SOPHOS FIREWALL
Continuous user verification
and device validation DATACENTER APPLICATIONS
SOPHOS ZTNA CLIENT
User identity and device health

SOPHOS CLOUD

When ZTNA is deployed in Sophos Cloud using Sophos Firewall, ZTNA on Sophos Firewall connects to
Sophos Cloud using an outbound connection on port 443. No inbound ports need to be opened.

The client connects to Sophos Cloud and the connection is proxied to the ZTNA gateway on Sophos
Firewall using its outbound connection.

The advantage of using Sophos Firewall is that there is no additional configuration, it does not need a
public IP address because it uses an outbound connection, and there is no NAT or routing
configuration that needs to be added.

Sophos Firewall v20.0 Engineer Delta - 48

 Copyright © 2023 Sophos Ltd

ZTNA Licensing
Zero Trust Network Access (ZTNA)

Simple per-user ZTNA

licensing gateways
are free to
15 GB / user / month deploy

When deploying in Sophos Cloud using either Cloud Gateways or Sophos Firewall, ZTNA uses per-user
licensing with a 15GB per user per month bandwidth allowance.

If you have 10 users, you have a total bandwidth allowance of 150GB per month. This does not have to
be used evenly across your users. Reaching the limit does not immediately block access to applications
through ZTNA, but you will need to purchase additional users to increase your bandwidth allowance.

The gateways are still free to deploy.

Sophos Firewall v20.0 Engineer Delta - 49

 Copyright © 2023 Sophos Ltd

Requirements
Directory service with user groups configured and synchronized
with Central
Zero Trust Network Access (ZTNA)

Identity provider to authenticate your users. This can be either

Azure AD or Okta

Sophos Firewall version 19.5 MR 3 or later

A validated domain in Sophos Central

Public DNS CNAME record for the ZTNA gateway

Wildcard certificate for the domain

The requirements to deploy a ZTNA on Sophos Cloud are:

• A directory service with user groups configured and synchronized with Central. This can be
Microsoft Azure AD or Active Directory
• An Identity provider to authenticate your users. You can use either Azure AD or Okta
• A supported platform to host the ZTNA gateway
• A validated domain in Sophos Central
• A public DNS CNAME record for the ZTNA gateway
• And a wildcard certificate for the ZTNA Gateway

The differences in requirements compared to an on-premises deployment are that you first need to
validate a domain in Sophos Central, and that you need to create a CNAME record in DNS for the ZTNA
gateway that point so Sophos Cloud rather than an A record for your server.

In the Sophos Cloud deployment mode, you do not need to create any inbound firewall access to the
ZTNA gateway, an outbound connection to Sophos Cloud is used.

Sophos Firewall v20.0 Engineer Delta - 50

 Copyright © 2023 Sophos Ltd

Configuration Steps
Zero Trust Network Access (ZTNA)

Configure ZTNA
Create a DNS
Validate your for Sophos Cloud
alias for the ZTNA
domain in Sophos deployment Create resources
gateway to
Central using DNS using Sophos
Sophos Cloud
Firewall

There are four main steps to deploying ZTNA using Sophos Cloud and Sophos Firewall.

First, you need to validate your domain in Sophos Central by creating a DNS record.

Next, you need to configure the ZTNA gateway in Sophos Central using the Sophos Cloud deployment
mode.

You then need to create the DNS alias for the ZTNA gateway that resolves to Sophos Cloud.

Finally, you need to create resources for the gateway to provide access to

Sophos Firewall v20.0 Engineer Delta - 51

 Copyright © 2023 Sophos Ltd

Simulation: Domain Validation in Sophos Central

Zero Trust Network Access (ZTNA)

In this simulation you will validate a domain in Sophos

Central for ZTNA deployment on Sophos Cloud.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/zt/simulation/CloudDomainValidation/1/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/zt/simulation/CloudDomainValidation/1/start.html

Sophos Firewall v20.0 Engineer Delta - 52

 Copyright © 2023 Sophos Ltd

ZTNA Gateway Configuration

Zero Trust Network Access (ZTNA)

Deploying on Sophos Firewall uses Sophos Cloud

Select the validated

FQDN for the domain
gateway
Identity provider for
The platform type is the ZTNA gateway
‘Firewall’
Select a Sophos Central managed firewall

To deploy ZTNA using Sophos Firewall select the Sophos Cloud ‘Gateway mode’, then select Firewall
as the ‘Platform type’.

You can then choose from a list of Sophos Firewalls that are managed in Sophos Central. These are
organized into their groups and display their label if you have one applied.

Enter the fully qualified domain name (FQDN) for the gateway and select a validated domain. The
FQDN for the gateway must be in the validated domain.

Select the identity provider the ZTNA gateway will use.

Sophos Firewall v20.0 Engineer Delta - 53

 Copyright © 2023 Sophos Ltd
Additional information in
the notes
ZTNA Gateway Configuration
Zero Trust Network Access (ZTNA)

Select where the

gateway will be hosted
by Sophos Cloud

Wildcard certificate
and private key

You need to choose which region you want the gateway to be hosted by Sophos Cloud in.

At the time of writing there are three regions; Europe, North America, and Asia, with two locations in
each region. You want to choose a location close to your gateway to reduce latency.

You need to upload a wildcard certificate for the domain and the private key.

[Additional Information]
Points of presence you can select as of January 2023.
• Europe
• Ireland
• Frankfurt
• North America
• US East Ohio
• US West Oregon
• Asia
• Bombay
• Sydney

Sophos Firewall v20.0 Engineer Delta - 54

 Copyright © 2023 Sophos Ltd

DNS Alias
Zero Trust Network Access (ZTNA)

hostname of the FQDN of Sophos

DNS record type
gateway Cloud

When you save the configuration the value of the CNAME DNS record that needs to be created for the
gateway will be shown.

To configure this in your DNS, add a new DNS record of type CNAME. In the ‘Host’ field enter the
hostname of your gateway. In our example we have cloud1.ztna as it is in the ‘ztna’ subdomain of
trainingdemo.xyz. In the ‘value’ field, paste the FQDN of Sophos Cloud that is displayed when you
saved the gateway.

Sophos Firewall v20.0 Engineer Delta - 55

 Copyright © 2023 Sophos Ltd

ZTNA Gateway Status on Sophos Firewall

Zero Trust Network Access (ZTNA)

In the Sophos Firewall Control Center, you will see the ‘Zero Trust Network Access’ status in the
‘System’ section change from ‘Not configured’ to ‘Active’.

Sophos Firewall v20.0 Engineer Delta - 56

 Copyright © 2023 Sophos Ltd

Creating Resources
Zero Trust Network Access (ZTNA)

Resources can be ‘Web Applications’ or ‘Firewall Web Admin portal’; these are the only types
supported for Agentless access. A single access port can be configured for agentless web applications.
This offers the choice of HTTP and HTTPS. The port number can also be configured. Select ‘Firewall
Web Admin portal’ will preconfigure the access port. Note that the option to create a resource type
‘Firewall Web Admin portal’ is only available when a Sophos Firewall is selected as the ZTNA gateway.

The option to ‘Show resource in user portal’ will display an icon, allowing users to open the
application, when they connect to the ZTNA gateway.

Sophos Firewall v20.0 Engineer Delta - 57

 Copyright © 2023 Sophos Ltd

Creating Resources
Zero Trust Network Access (ZTNA)

Using the Agent access method allows a choice of resource types.

The available resource types for the agent access method include Web Application, SSH, RDP, CIFS, and
Firewall SSH for connecting to the Sophos Firewall itself. The agent web application type can be used
to access applications that are not exposed publicly through DNS.

Note that the option to create a resource type ‘Firewall SSH’ is only available when a Sophos Firewall is
selected as the ZTNA gateway.

Sophos Firewall v20.0 Engineer Delta - 58

 Copyright © 2023 Sophos Ltd

Creating Resources
For users to access the
resource through ZTNA
Zero Trust Network Access (ZTNA)

For ZTNA to proxy traffic to Multiple access port types

the application can be configured

Resources have separate external and internal FQDNs. When the user tries to access a resource, they
will use the external FQDN. The gateway will use the internal FQDN or IP address to proxy the traffic to
the application.

When you select the resource type you can configure the access port type and port number. Agentless
access supports a single HTTP or HTTPS port, whereas agent-based access can support multiple TCP
and UDP ports.

Sophos Firewall v20.0 Engineer Delta - 59

 Copyright © 2023 Sophos Ltd

Creating Resources
Zero Trust Network Access (ZTNA)

Resources must also be assigned to one or more groups to allow users to access them. Here you can
see that a resource has been created and we are using Okta as the identity provider. The resource has
been assigned to the ZTNA_ALL group.

Sophos Firewall v20.0 Engineer Delta - 60

 Copyright © 2023 Sophos Ltd

Learn More
Zero Trust Network Access (ZTNA)

To learn more about ZTNA, please take the Sophos ZTNA on-demand training course.

Sophos Firewall v20.0 Engineer Delta - 61

 Copyright © 2023 Sophos Ltd
Azure AD SSO

Azure AD SSO

Sophos Firewall v20.0 Engineer Delta - 62

 Copyright © 2023 Sophos Ltd

Azure AD SSO

SSO for Users Azure AD Group Import Automatic Role Updates

Azure AD SSO

Prior to Sophos Firewall version 20, Azure AD SSO could only be used for authenticating firewall
administrators for the web admin console. In version 20 you can now authenticate using Azure AD SSO
through the captive portal.

In addition to being able to authenticate users, you can now import Azure AD groups into the firewall.

Where a user has previously authenticated with the firewall and is then assigned an administrator role
in Azure AD, this will automatically promote the user to be an admin on the firewall.

Sophos Firewall v20.0 Engineer Delta - 63

 Copyright © 2023 Sophos Ltd

API Permissions to Import Azure AD Groups

Azure AD SSO

To be able to import groups from Azure AD you need to add an additional permission to the API
permissions in your app registration on Azure. The new permission is the Group.Read.All Application
permission.

Sophos Firewall v20.0 Engineer Delta - 64

 Copyright © 2023 Sophos Ltd

Authentication Server Role Mapping

Azure AD SSO

Azure AD SSO authentication servers can be created for authenticating either users or administrators.
When a user is being authenticated there is no need to match on a role from Azure; however, when
authenticating an administrator, you need to define how to map the Azure role to the Sophos Firewall
profile.

You can create a single authentication server to authenticate both users and administrators. In this
case, select ‘Administrator’ and define the role. Any user that is authenticated that does not match a
role will be authenticated as a standard user.

Sophos Firewall v20.0 Engineer Delta - 65

 Copyright © 2023 Sophos Ltd

Import Azure AD Groups

Azure AD SSO

Once you have added an Azure AD in Sophos Firewall you will see an icon for the group import, then
same as you would for Active Directory.

Sophos Firewall v20.0 Engineer Delta - 66

 Copyright © 2023 Sophos Ltd

Import Azure AD Groups

Azure AD SSO

In the import wizard you can choose to either import all groups or import groups that are either equal
to or start with one or all the attributes you define.

You can select the groups based on:

• Display name
• Description
• Object ID
• Mail
• Mail nickname
• And Security

Sophos Firewall v20.0 Engineer Delta - 67

 Copyright © 2023 Sophos Ltd

Import Azure AD Groups

Azure AD SSO

On the next page you can select which of the groups that are returned you want to import.

Sophos Firewall v20.0 Engineer Delta - 68

 Copyright © 2023 Sophos Ltd

Import Azure AD Groups

Azure AD SSO

You can choose which policies to apply to the groups, and whether you want the selected policies to
apply to all the groups you are importing, or if you want to customize the policies per group.

Sophos Firewall v20.0 Engineer Delta - 69

 Copyright © 2023 Sophos Ltd

Import Azure AD Groups

Azure AD SSO

Finally, you can review a summary and click Finish to start the import.

Sophos Firewall v20.0 Engineer Delta - 70

 Copyright © 2023 Sophos Ltd

Enable Azure AD For Firewall Authentication

Azure AD SSO

To use Azure AD with the captive portal, you need to select the authentication server as a firewall
authentication method in Services.

Sophos Firewall v20.0 Engineer Delta - 71

 Copyright © 2023 Sophos Ltd Additional information
in the notes

Allow Required Domains For Azure Portal Authentication

Azure AD SSO

Azure portal authentication domains can be found in this article:

https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls

So that users can authenticate with Azure AD they will need to be able to access specific Azure
services. To enable this, you will need to create a firewall above the firewall rule that requires
authentication that allows users access to these resources. You can find a list of the domains in the
Microsoft article.

[Additional Information]
The required domains can be found in the Azure portal authentication for this Microsoft article.
https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud

Sophos Firewall v20.0 Engineer Delta - 72

 Copyright © 2023 Sophos Ltd

Captive Portal Authentication

Azure AD SSO

Once configured, when a user is prompted to authenticate via the captive portal, they will have the
option to choose Single sign-on. They can then use their existing Azure AD account to authenticate.

Sophos Firewall v20.0 Engineer Delta - 73

 Copyright © 2023 Sophos Ltd

Logging Out

The Azure authentication token is valid for 7 days by default

Azure AD SSO

You must explicitly logout as Sophos Firewall does not have any
control over the token validity

It is important to note that the Azure authentication token is valid for 7 days by default, and so closing
the tab or enabling logout on inactivity will not work, because the firewall does not control the token
validity. The user must explicitly logout to invalidate the authentication token.

Sophos Firewall v20.0 Engineer Delta - 75

 Copyright © 2023 Sophos Ltd

Automatic Role Promotion

User is created on Sophos User is promoted when they User retains the
Firewall when they login via next login and have the role administrator role on the
the captive portal configured in Azure firewall even if it is removed
Azure AD SSO

in Azure

The firewall changes the user type User needs to be manually deleted in
and assigns the specific profile this scenario

When you assign a firewall admin role in Azure, Sophos Firewall will now automatically promote the
user the next time they login. This means that the user type will be changed from user to
administrator, and the relevant profile will be assigned.

This is a one-way process. If the role is removed from the user in Azure, this will not revoke the
permissions on Sophos Firewall. There is no path for changing an administrator user to standard user,
so in this scenario the user will need to be manually deleted on Sophos Firewall.

The user will then be recreated on the firewall then next time they login.

Sophos Firewall v20.0 Engineer Delta - 76

 Copyright © 2023 Sophos Ltd

Log File
Azure AD SSO

In the log viewer, you can see the authentication mechanism used to authenticate each user. Here you
will be able to see if it is Azure AD SSO.

Sophos Firewall v20.0 Engineer Delta - 77

 Copyright © 2023 Sophos Ltd
Other Enhancements and Changes

Other Enhancements and Changes

Sophos Firewall v20.0 Engineer Delta - 78

 Copyright © 2023 Sophos Ltd

Object Reference Lookup

Other Enhancements and Changes

Sophos Firewall version 20 introduces object reference lookup for hosts and services. For each object
you can see how many times it has been used in the usage column. The usage count is calculated daily
but can be manually refreshed using the icon next to the column label.

Sophos Firewall v20.0 Engineer Delta - 79

 Copyright © 2023 Sophos Ltd

Object Reference Lookup

Other Enhancements and Changes

Go to configuration page

Open configuration here

By clicking on the number of references in the usage column you can see every place that object has
been used.

In this example we can see it has been used in the ‘London New York Traffic’ firewall rule, in the
‘London Networks to WAN’ TLS inspection rule, and in the ‘NY MPLS’ SD-WAN route.

Each reference shown is a link. Those with the icon will take you to that configuration page in Sophos
Firewall.

All other links allow you to directly edit or remove objects without having to navigate away from this
page.

Sophos Firewall v20.0 Engineer Delta - 80

 Copyright © 2023 Sophos Ltd

Support for High Resolution Screens

Version 20.0
Other Enhancements and Changes

Version 19.5

Version 20 increases the horizontal resolution to 1920 pixels, full HD, to better scale to higher
resolution screens.

For example, the firewall tables will now use the full space available to them and adjust intelligently to
fit. Here you can see the difference, where in version 19.5 the rule names were truncated, but in
version 20 you can see the full rule name.

Sophos Firewall v20.0 Engineer Delta - 81

 Copyright © 2023 Sophos Ltd

Automatic Firmware Rollback

With high availability:

Other Enhancements and Changes

If the auxiliary device Control center will display a

The firewall will upgrade fails, the whole warning notification
automatically rollback to the cluster remains on the
previous version if the previous version Log viewer will contain an
upgrade fails error
If the primary device
upgrade fails, both devices
run in standalone mode

From version 20, Sophos Firewall will automatically rollback to the previous version if the firmware
upgrade fails.

When the firewall is in a high availability configuration:

• If the auxiliary device upgrade fails, the whole cluster will remain in the previous version
• If the primary device upgrade fails, both devices will run in standalone mode

When an upgrade fails, and the firmware is rolled back automatically there will be a warning
notification displayed in the Control Center, and an error can be found in the log viewer.

Sophos Firewall v20.0 Engineer Delta - 82

 Copyright © 2023 Sophos Ltd

Backup from Wi-Fi and Restore to Non-Wi-Fi Device

Other Enhancements and Changes

Wireless networks must be removed from LocalWifi0 and LocalWifi1 devices

in Wireless > Access points prior to taking the configuration backup

It is now possible to restore a configuration backup that was taken on a Wi-Fi model to a non-Wi-Fi
model.

To do this, you need to remove all the wireless networks from the LocalWifi0 and LocalWifi1 devices
in Wireless > Access points prior to taking the configuration backup.

Sophos Firewall v20.0 Engineer Delta - 83

 Copyright © 2023 Sophos Ltd
SFOS v19.5 MR 1

Backup Filename Includes Build Number

Other Enhancements and Changes

Configuration backup filename format

Backup_<SERIAL>_<MODEL>_SFOS-<VERSION>-Build<###>_<DATE AND TIME>

Configuration backup filename example

Backup_C01001YJ89YKF2E_HV01_SFOS-20.0.0-EAP0-Build165_05Sep2023_11.50.04

Configuration backup files now include the build number, which is useful when troubleshooting.

Note that this update was released in version 19.5 MR 1.

Sophos Firewall v20.0 Engineer Delta - 84

 Copyright © 2023 Sophos Ltd
SFOS v19.5 MR 2

Unrestricted Wan Access Is No Longer Supported

Other Enhancements and Changes

From version 19.5 MR 2, it is no longer possible to enable HTTPS access to the web admin console for
the in the local service ACL table to encourage more secure access practices.

You can still create a local service ACL exception rule to allow HTTPS access to the web admin console,
where you can also restrict access to specific allowed IP addresses and networks.

This change does not affect existing configured deployments; however, unused WAN access to the
web admin console and user portal will be disabled after 90 days. This does not affect ACL exception
rules.

Sophos Firewall v20.0 Engineer Delta - 85

 Copyright © 2023 Sophos Ltd

Other Enhancements

Secure Storage Master Key Email notification text and

(SSMK) is mandatory for new branding has been updated
Other Enhancements and Changes

installations to Sophos Firewall

The user delete API

Jordan time zone DST
documentation has been
changes have been updated
updated

The SATC download has been

removed as it is now end-of-
life

There are several other minor enhancements in Sophos Firewall version 20.0; including:
• The Secure Storage Master Key is now mandatory for fresh installations so that Sophos Firewall is in
a more secure state from the beginning
• The email notification text and branding has been updated from XG Firewall to Sophos Firewall
• There is new help documentation for the user delete API
• The Jordan time zone changes to DST have been incorporated into the Firewall
• The SATC download has been removed as it is now end-of-life

Sophos Firewall v20.0 Engineer Delta - 86

 Copyright © 2023 Sophos Ltd

Akamai SIA and Cloudflare SSE Integrations

Sophos Firewall: Connect Akamai SIA and Sophos Firewall: Connect Cloudflare Magic
Sophos Firewall WAN and Sophos Firewall
Other Enhancements and Changes

https://community.sophos.com/sophos-xg- https://community.sophos.com/sophos-xg-
firewall/f/recommended-reads/141355/sophos-firewall- firewall/f/recommended-reads/140069/sophos-firewall-
connect-akamai-sia-and-sophos-firewall connect-cloudflare-magic-wan-and-sophos-firewall

You can now integrate Sophos Firewall with Akamai Secure Internet Access, SIA, and Cloudflare SSE,
Security Service Edge. Both of these integrations are documented in the Sophos Community in the
recommended reads.

Akamai Secure Internet Access Enterprise (SIA) is a cloud-based, targeted threat protection solution
that safeguards your organization from DNS and web-based threats, enforces authentication and
acceptable use policies, and audits user internet access.

With SIA, you can:

• Inspect DNS, HTTP, and HTTPS traffic for threats.
• Block malicious domains and URLs.
• Identify compromised devices in your network.
• Use a client to extend SIA protection to devices on or off the corporate network.
• Customize a dashboard with widgets to track events and network activity.
• Control access to websites, web applications, sensitive data, and specific file types.
• Allow or block specific applications or application operations.
• Enforce web-based user authentication policies.
• Perform inline and offline payload analysis.
• Report all user activities for DNS, HTTP, and HTTPS traffic.
• Investigate detected threats.
• Protect against malware, ransomware downloads, and zero-day phishing attacks.
• And detect command and control calls.

Cloudflare Magic WAN provides secure, performant connectivity and routing for your entire corporate
network, reducing cost and operational complexity. Magic Firewall integrates smoothly with Magic

Sophos Firewall v20.0 Engineer Delta - 87

WAN, enabling you to enforce network firewall policies at the edge, across traffic
from any entity within your network.

With Magic WAN, you can securely connect any traffic source, such as data centers,
offices, devices, and cloud properties, to Cloudflare’s network and configure routing
policies to get the bits where they need to go, all within one SaaS solution.

Magic WAN supports a variety of on-ramps, including Anycast GRE or IPsec

tunnels, Cloudflare Network Interconnect, Cloudflare Tunnel, WARP, and a variety of
Network On-ramp Partners.

Sophos Firewall v20.0 Engineer Delta - 87

Copyright © 2023 Sophos Ltd

TechVids for Sophos Firewall v20.0

Sophos Firewall v20: Active Threat Response with MDR Threat Feeds
https://techvids.sophos.com/share/watch/kysi9dTRDCRHuPFgPi2AEr

Sophos Firewall v20: DHCP Prefix Delegation

https://techvids.sophos.com/watch/LvQPWE7moUZJUHrXyF7Nhp

Sophos Firewall v20: IPv6 Dynamic Routing in Border Gate Protocol

https://techvids.sophos.com/watch/MoKbV1ZiLPBRFACaaeJSRs

Sophos Firewall v20: Captive Portal SSO & Group Import

https://techvids.sophos.com/watch/ZRfL8d1UXgJw6idbsSjn1k

Sophos Firewall v20: VPN Enhancements

https://techvids.sophos.com/watch/bgUdBHwMBFLt8KnwgcFr7u

Sophos Firewall v20: Quality of Life Enhancements

https://techvids.sophos.com/watch/daqv8rRYvfwJUYvzssjCkJ

TechVids have created a series of videos covering the new features of Sophos Firewall version 20. You
can use the links here to view them.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 88

Copyright © 2023 Sophos Ltd

New SFOS API Resources

https://techvids.sophos.com/watch/7oEPqyoKz7ZSPn27Pze8hu https://techvids.sophos.com/watch/eb41XhMywMs6H5BhpJL5xM

API
DOCUMENTATION
https://doc.sophos.com/nsg/sophos-firewall/20.0/API/index.html

TechVids have also released new videos to help get started using the Sophos Firewall API.

Click Continue when you are ready to proceed.

Sophos Firewall v20.0 Engineer Delta - 89

Copyright © 2023 Sophos Ltd

Chapter Review

There are three new user access features; VPN features have been moved from the user portal to a
dedicated secure VPN portal, Sophos Firewall can now be configured as a ZTNA gateway, and users can
authenticate in the captive portal using Azure AD SSO.

Active Threat Response uses threat feeds from Sophos to block IoCs, or indicators of compromise,
automatically on the firewall. The Sophos X-Ops threat feed replaces ATP, or Advanced Threat Protection,
and the MDR threat feed for our MDR customers is a custom threat feed base on analysis of telemetry you
send to the data lake.

There are two new IPv6 features; BGP for IPv6, which is integrated into the existing BGP service and
workflow, and DHCPv6-PD, or prefix delegation, which seamlessly integrates with ISP-provided DHCP-PD
for LAN networks to automate IP assignment of IPv6 prefixes and subnets.

Here are the three main things you learned in this chapter.

There are three new user access features; VPN features have been moved from the user portal to a
dedicated secure VPN portal, Sophos Firewall can now be configured as a ZTNA gateway, and users can
authenticate in the captive portal using Azure AD SSO.

Active Threat Response uses threat feeds from Sophos to block IoCs, or indicators of compromise,
automatically on the firewall. The Sophos X-Ops threat feed replaces ATP, or Advanced Threat
Protection, and the MDR threat feed for our MDR customers is a custom threat feed base on analysis
of telemetry you send to the data lake.

There are two new IPv6 features; BGP for IPv6, which is integrated into the existing BGP service and
workflow, and DHCPv6-PD, or prefix delegation, which seamlessly integrates with ISP-provided DHCP-
PD for LAN networks to automate IP assignment of IPv6 prefixes and subnets.

Sophos Firewall v20.0 Engineer Delta - 90

Copyright © 2023 Sophos Ltd

TRAINING FEEDBACK

Feedback is always welcome

Please email [email protected]

Feedback on our courses is always welcome.

Please email us at [email protected] with your comments.

Sophos Firewall v20.0 Engineer Delta - 92

Copyright © 2023 Sophos Ltd

Sophos Firewall v20.0 Engineer Delta - 93