The Sophos XG Firewall will block even unknown threats with it's comprehensive suite of advanced protection which includes a Web Application Firewall, Sandboxing, Dual AV, IPS, ATP, Web and Application Control, Anti-phishing and more.
XG Firewall v18 MR1 is now rolling out globally, bringing new levels of visibility, protection, and performance to your firewall. When the notification for the latest firmware update appears in the console, we strongly encourage everyone to take advantage of the easy process to upgrade. It’s just a few clicks.
XG Firewall is the only network security solution that is able to fully identify the source of an infection on your network and automatically limit access to other network resources in response. This is made possible with our unique Sophos Security Heartbeat™ that shares telemetry and health status between Sophos endpoints and your firewall. Jul 20, 2020 XG Firewall v18 MR1 is now rolling out globally, bringing new levels of visibility, protection, and performance to your firewall. When the notification for the latest firmware update appears in the console, we strongly encourage everyone to take advantage of the easy process to upgrade. Claim Sophos XG Firewall and update features and information. Claim Sophos XG Firewall and update features and information.
And if you haven’t already done so, now is the time to upgrade your XG Firewall to v18.
As there are many great new features in XG Firewall v18, our blog series over the coming weeks will be highlighting the most important new capabilities, such as the new Xstream Architecture, the new zero-day threat protection, Sophos Central Management and Reporting, and how you can get the most out of them.
Xstream Architecture
One of the flagship features in v18 is the new Xstream Architecture, which includes a streaming DPI engine and TLS 1.3 inspection for encrypted traffic.
How is this architecturally different to the legacy web proxy solution? Put simply, the new Xstream DPI engine is specifically designed to achieve optimal performance and connection-handling efficiency. It uses a single streaming engine that inspects traffic between a host on the network and an external server or service. This provides all the essential protection in a single pass:
- File and web malware scanning
- Intrusion Prevention (IPS) or attempts to exploit network vulnerabilities
- Application identification and control
By stream scanning files as they are downloaded from web servers, it can pass the content along to the end user while only holding the last portion of the file to complete the scan before either blocking the download or allowing the last packets to flow through. It does not need to hold the entire file while it’s being scanned.
And it’s FAST! How fast? Many XG Firewall customers and partners have reported that the new DPI engine and TLS inspection are anywhere from two to three times faster than before.
Unlike the Xstream DPI engine, legacy protection in XG Firewall utilizes different engines for different jobs. There’s a web proxy for inspecting and filtering web content, an IPS engine, and an application control solution.
Rather than stream scanning as traffic flows through, the web proxy acts as a relay between the client and the external server. This has an advantage when packet header modifications need to be made to support features such as SafeSearch, YouTube restrictions, or Google domain restrictions as only the legacy web proxy can support these features. In all other cases, however, it just means it’s handling more connections and doing more work.
Making the most of the new Xstream DPI engine and TLS inspection
When you upgrade your XG Firewall to v18, all your existing firewall rules will be using the legacy web proxy by default to ensure seamless upgrade compatibility. If you don’t require features like SafeSearch, YouTube restrictions, or Google domain restrictions, you should switch these firewall rules to using the new Xstream DPI engine. It requires a change to a single setting:
This setting determines if you’re using the legacy web proxy (checked) or the new Xstream DPI engine (unchecked).
By switching many of your firewall rules over to the new Xstream DPI engine, you can see a tremendous performance benefit.
Taking advantage of the new TLS inspection engine with support for TLS 1.3 is also simple to configure. It essentially requires checking one box in your firewall to activate it and then creating a rule on the new SSL/TLS Inspection Rules tab as shown below.
As with any TLS inspection solution, you will also need to deploy the appliance CA certificate to hosts on your network that you wish to inspect. We recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this quick and easy.
Your TLS rules define which TLS traffic to decrypt and the associated decryption profile governs how to handle the decryption as well as protocol and cipher enforcement. The rules are structured and work identically to how firewall rules function in a top-down hierarchy.
We recommend you start gradually with TLS encryption, with a limited sub-estate of your network or a few test systems. This will allow you to build your expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error-handling options. Not all applications and servers fully and properly support TLS inspection, so watch the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services.
Once you’re comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across your network. However, with encrypted traffic volumes now at over 80% of all internet traffic, keep in mind that TLS inspection is resource-intensive due to the nature of the decryption/encryption algorithms.
If your XG Firewall appliance is a few years old and already running at high load, it may be time for a hardware refresh or a new higher-performance model. Enabling TLS inspection on most of your internet traffic is now essential protection against the latest ransomware and threats as more and more hackers make use of TLS encryption to get onto networks and stay there undetected.
To learn more, the following resources are available to help you make the most of the new features in XG Firewall v18:
XG Firewall v18 includes several performance gains that will breathe new life into your network, enabling you to handle more traffic and better secure it.
If you haven’t upgraded to XG Firewall v18 already, you’re going to want to do so as soon as possible to take advantage of the substantial performance benefits waiting for you.
What are the gains and where do they come from?
Consider these potential performance boosts available by upgrading to XG Firewall v18:
Those are some impressive performance improvements!
One of the most exciting enhancements to XG Firewall in v18 was the introduction of the new Xstream Architecture, with its all-new streaming DPI engine, advanced TLS 1.3 inspection solution, and Network Flow FastPath.
Let’s look at how the Xstream Architecture upgrades your performance:
Trusted traffic FastPath acceleration
The new Xstream Network Flow FastPath is all about performance. It directs trusted traffic that doesn’t require security scanning into a fast lane through the system. This not only minimizes latency and accelerates application traffic through the firewall, it also has the added benefit of not engaging the DPI engine for deep-packet inspection of trusted traffic.
The impact of fast-pathing is up to a 5x improvement in firewall traffic throughput! Of course, with a blend of real-world traffic mixes, not all applications qualify for trusted traffic FastPath acceleration, but if a substantial portion of your traffic can be accelerated on the FastPath, you could increase your firewall’s security scanning capacity while allowing more trusted traffic. That’s a win-win.
Be sure to see how to make the most of the Network Flow FastPath on your network to learn how this works and how to set it up optimally.
TLS inspection speed
The new Xstream TLS inspection solution also brings a tremendous boost in decrypting and inspecting encrypted traffic flows, with up to a 2x improvement in performance. And when you combine the added performance with the very granular and easy to manage TLS inspection policies, you can be sure you’re only inspecting traffic that really needs it – and now do it faster than ever.
How To Reset Sophos Xg Firewall
See how to make the most of Xstream TLS Inspection on your XG Firewall.
IMIX traffic performance
Internet Mix or IMIX is an often used reference in measuring typical real-world internet network traffic performance, making it a good metric to consider when looking at performance.
The new Xstream architecture in XG Firewall v18 brings a substantial boost in performance to this important metric. On our mid-range firewall models, the gains are over 100%, with the average across the XG Series line being a 57% improvement in performance.
This is all thanks to optimizations in the packet processing flow, DPI engine, and Network Flow FastPath. It’s an incredible real-world improvement in traffic processing performance.
Other common traffic performance measurements also benefit from the Xstream architecture in v18, including raw firewall performance, IPS, AV, application control, and malware protection.
Xg Firewall Deployment Options
Get the latest XG Firewall brochure to see the latest performance metrics and how your XG Series model stacks up.
SSL VPN capacity
How To Reset Sophos Xg Firewall
Further optimizations to our SSL engine in XG Firewall v18 MR3 bring some dramatic improvements to remote access SSL VPN capacity, with up to 6x the number of connections possible on our higher-end appliances.
Increases are more modest at the entry-level, but on a typical mid-range device like the XG 310, the capacity has tripled! This is great news for everyone managing a remote workforce these days.
Check out the other great enhancements with remote-access VPN.
Upgrade today
If you haven’t already, upgrade to XG Firewall v18 today. It’s a free performance boost, and you get a ton of great new protection and networking features.
Be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18: