Sophos Firewall OS v19 EAP is now available


This latest v19 build adds a number of great new enhancements, including Xstream FastPath Acceleration of IPsec VPN traffic.

Sophos Firewall OS v19 is now entering the second phase of the early access program (EAP), providing access to the full set of v19 features slated for general availability in April.

This latest v19 build adds a number of great new enhancements, including Xstream FastPath Acceleration of IPsec VPN traffic, which provides a tremendous performance boost and adds to the other Xstream SD-WAN capabilities added in EAP1.

As a reminder, here’s a complete overview of all the great new Xstream SD-WAN capabilities:

New Xstream FastPath Acceleration for IPsec traffic

Sophos Firewall OS v18 introduced the Xstream architecture that enables FastPath acceleration of trusted traffic flows. The new XGS series hardware appliances added dedicated Xstream Flow Processors for hardware acceleration of trusted traffic flows. One of the great benefits of the programmable flow processor is that additional features and capabilities can be added to further improve performance.

SFOS v19 EAP2 adds IPsec VPN hardware FastPath acceleration for XGS Series appliances, which automatically puts IPsec tunnel flows on the FastPath through the Xstream Flow Processor. This dramatically improves performance, moving some of the CPU-intensive processing required for IPsec tunnels to the Xstream Flow Processor, such as ESP-encapsulation/encryption and decapsulation/decryption. This new feature takes full advantage of the hardware crypto capabilities within the Xstream Flow Processor and has the added benefit of freeing up CPU resources for other tasks like deep-packet inspection of traffic that needs it.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site and remote access VPN traffic; however, IPsec connections with weak cipher or auth algorithms (DES, 3DES, Two Fish, MD5) will not be off-loaded.

Other enhancements in SFOS v19 EAP2

  • Several SD-WAN policy-based routing (PBR) enhancements for usability and troubleshooting based on early EAP feedback (see image below for a list of enhancements in this area)
  • Added a default object group for Internet IPv4 hosts that can be used as network matching criteria to match all internet WAN traffic, making it easy to configure SD-WAN PBRs that only apply to WAN-destined traffic
  • Sydney, Australia data center option for zero-day protection (which will be live around the end of February: we will make another community announcement when it becomes active)
  • Device and management identity enhancements now show the device hostname in the browser tab and the active user ID in the upper right corner of the management console, which makes managing multiple firewalls and admin accounts easier
  • Numerous performance and stability enhancements since the first EAP build
A list and side-by-side comparison of SD-WAN PBR enhancements in the latest v19 build