Sophos XG Firewall · 2020-03-06 · New features Sophos XG Firewall 3. New features The release notes site describes the new features introduced in XG Firewall 18.0. The left menu

Sophos XG Firewall

Release notes

Version: 18.0

Sophos XG Firewall Supported platforms

1. Supported platformsSFOS 18.0 is supported on all XG and SG appliances with at least 4 GB of RAM.

With the new Xstream packet processing architecture, you will enjoy a nice performance boost onyour existing hardware.

SFOS 18.0 won't be supported on older XG 85/105 and SG 105 models that have 2 GB of RAM butwill run perfectly on the newer XG 86/106 models that have 4 GB of RAM.

Cyberoam appliances don't support SFOS 18.0. Models that don’t support version 18 will continueto be supported for the foreseeable future on version 17.5. However, you can restore Cyberoamfirewall backups on XG Firewall operating on 18.0.

For upgrade information, go to Upgrading to SFOS 18.0 (page 3).

2 20200402 Copyright © Sophos Limited

Upgrading to SFOS 18.0 Sophos XG Firewall

2. Upgrading to SFOS 18.0SFOS 18.0 GA is now available.

Note the following upgrade information for SFOS 18.0:

• You can upgrade from SFOS 17.5 (MR6 up to MR10) to SFOS 18.0 GA (build 354). Werecommend that you upgrade the firmware to the latest build.

CAUTIONUpgrading from SFOS 17.5.x to SFOS 18 GA (build 354) may take longer thanusual because of additional checks for file system correction. The time taken(approximately 50 minutes) depends on the hard disk size and status.

Don’t interrupt the upgrade process or restart it midway. It can put the system intoan undefined condition. You'll then need to re-image the appliance with the ISO.

• Currently, you can't migrate from SFOS 17.5 (MR11) to SFOS 18.0. We'll inform you as soonas we have an update.

• 18.0 requires a minimum of 4 GB RAM. So, you can't upgrade the following models to 18.0:

◦ XG 85, XG 85w, XG 105, and XG 105w

◦ SG 105, SG 105w

These models must remain on a 17.x version. See XG Firewall Lifecycle Policy and XG Firewallretirement calendar.

• Cyberoam models don't support 18.0 firmware. However, you can restore Cyberoam firewallbackups on XG Firewall operating on 18.0.

• Firmware:

◦ Rollback (firmware switch) is supported. You can roll back to 17.5 MRx if you experienceany issues with 18.0. For example, the active firmware on the firewall is 18.0 and thesecond firmware version is 17.5. You can switch between these two firmwares. When youdo that, the configuration on either doesn't change.

◦ You can't downgrade from 18.0 to an older firmware using 17.5 or an earlier firmware file.The web admin console will show an alert.

18.0 uses Grub boot loader and the changed bootloader can't recognize 17.x firmware.You can still use the hardware ISO of 17.5 or earlier to have the firewall on an olderfirmware version and restore the downgraded firmware's backup.

◦ In 18.0, we moved to a more secure firmware signing method. The firmware update filesnow use the .sig extension and not the earlier .gpg extension.

• Backup and restore are supported. You can restore the following on 18.0:

◦ SG firewalls running SFOS

◦ Cyberoam firewalls

Copyright © Sophos Limited 20200402 3

https://www.sophos.com/en-us/support/technical-support/lifecycle-policy.aspx

https://community.sophos.com/kb/en-us/121502


Sophos XG Firewall Upgrading to SFOS 18.0

◦ XG Firewall backups

• SFOS 18.0 moved to SSH tunnel-based secure communication for the HA cluster. If you'reupgrading the HA cluster to 18.0, both the devices in the cluster will reboot simultaneouslyonce. You'll receive an alert on the UI before you can proceed.

• Key information you need to know about how to configure:

◦ NAT rules (page 25)

◦ What's new in SD-WAN policy routing (page 46)

◦ SSL/TLS inspection rules (page 8)


New features Sophos XG Firewall

3. New featuresThe release notes site describes the new features introduced in XG Firewall 18.0.

The left menu gives the key features, their significance, and how to implement them. For detailedinformation of XG Firewall, go to the online help.

For an overview of the key features, please read What’s New in v18.

3.1 Xstream architectureWe are introducing the new Xstream architecture for XG Firewall - A new streaming packetprocessing architecture that provides extreme levels of protection and performance. The newarchitecture includes:

• Xstream SSL inspection: Enable SSL inspection on your network without compromisingnetwork performance or the user experience. It delivers high-performance, high-connection-capacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspectionperformance across all ports, protocols, and applications. It also comes equipped withenterprise-grade controls to optimize security, privacy, and performance.

• Xstream DPI engine: Enables comprehensive threat protection in a single high-performancestreaming DPI engine with proxyless scanning of all traffic for AV, IPS, and web threats as wellas providing application control and SSL inspection.

• Xstream network flow FastPath: Provides the ultimate in performance by intelligently offloadingtraffic processing to transfer trusted traffic at wire speeds. FastPath offloading can be controlledthrough policy to accelerate important cloud application traffic or intelligently by the DPI enginebased on traffic characteristics.

3.1.1 FastPath network flowXstream architecture enables the offloading and streaming of packet processing for high levels ofprotection and performance.

The architecture contains the DPI (Deep Packet Inspection) engine, SSL/TLS inspection, and theFastPath network flow.

The DPI engine applies SSL/TLS decryption and inspection, IPS policies, application identificationand control, web policies (including proxyless web filtering), and antivirus scanning in a singleengine. Antivirus scanning includes Sandstorm protection and file reputation analysis.

SSL/TLS inspection decrypts and inspects SSL/TLS connections that use modern cipher suitesacross all ports and protocols. For details, go to Rules and policies > SSL/TLS inspection rules.

FastPath network flow offloads (bypasses processing of) trusted traffic. Offloading eliminatesthe need to apply full firewall processing to every packet in a connection, minimizing the use ofprocessing cycles.

You can optimize FastPath offloading through rules and policies to accelerate cloud applicationtraffic or through the DPI engine based on traffic characteristics.


https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/index.html

https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-xg-firewall-key-new-features.pdf

Sophos XG Firewall New features

FastPath network flowThe data plane is the core hardware and software component. It works in the FastPath, kernel(firewall stack), and user space domains, offloading trusted packets throughout a connection'slifetime. The DPI engine is in the user space.

FastPath provides an efficient, zero-copy path into the DPI engine, eliminating the need to retaincopies in the kernel memory. The data plane caches the classification decisions of the kernel anduser space, and applies them to all the traffic in a connection, lightening the load on the hardware.This enables FastPath to offload some or all processing of a packet from the CPU.

The firewall stack still requires the CPU to handle the connection rate.

NoteXG Firewall retains firewall stack (slowpath) processing as a fallback path forfunctionalities that can’t be processed in FastPath or if FastPath can't function. Thefirewall stack continues to process certain protocols, such as IP in IP.

FastPath is software-based and is also available as Virtual FastPath (VFP), enabling us to maintaina common architecture for XG Firewall devices and the software and virtual platforms of XGFirewall. The firewall stack can offload to FastPath through VFP or the FastPath API. VFP updatesand features are part of SFOS releases.

NoteVirtual FastPath supports the NIC drivers i40e, e1000, e1000e, igb, ixgbe, andvmxnet3. VFP won’t load on other drivers, but XG Firewall (including the DPI engine)still functions fully, but without the FastPath performance enhancements.

Currently, Virtual FastPath supports up to 3500 MTU on e1000 and e1000e NICs.

NoteFor virtual deployments, Virtual FastPath supports the VMware ESXi hypervisor. Forother hypervisors, such as KVM, turn off FastPath using the CLI command for firewallacceleration.

Firewall acceleration

When you turn off firewall acceleration on the CLI console or when FastPath doesn’t load, XGFirewall continues to function fully, but without the performance enhancements of FastPath.

To turn firewall acceleration on or off through FastPath and to see the status, use the following CLIcommands:

Option CLI command

Show firewall acceleration console> system firewall-acceleration show

Turn on firewall acceleration console> system firewall-acceleration enable



Option CLI command

Turn off firewall acceleration console> system firewall-acceleration disable

NoteFastPath doesn’t support tcpdump. It’s turned off when you run a tcpdump command.

FastPath

Traffic for a connection flows in the stateful firewall mode initially. The firewall stack processes thefirst packet and does the following:

• Applies the firewall rule action.

• Makes layer 2 and layer 3 decisions that include routing, switching, forwarding, and RED traffic-related decisions.

• Makes decisions related to ingress decapsulation and egress encapsulation, includingdecisions for IPsec VPNs.

• Applies DoS (Denial of Service) policies.

• Applies QoS (traffic shaping) policies.

After one packet from each direction passes through XG Firewall, the firewall stack fully classifiesthe flow, and programs a connection cache in FastPath. It offloads kernel processing forsubsequent packets in the same connection to FastPath. These packets don’t require furtherprocessing to verify their identity and destination. With stateful tracking of individual connections,FastPath processes the packets fully, saving CPU cycles and memory bandwidth. FastPath actsonly as directed by the kernel.

DPI engine

For security decisions, the firewall stack delivers the initial packet to the DPI engine through theData Acquisition (DAQ) layer. FastPath delivers subsequent packets directly to the DPI enginethrough the DAQ layer, which is a high-speed mechanism to move packets into and out of the DPIengine. The direct delivery eliminates the need to retain copies in the kernel memory.

The DPI engine inspects traffic from layer 4 and higher through streaming processing. Offloadingdecisions are taken at each stage of security processing.

SSL/TLS engine: For unencrypted traffic, when SSL/TLS inspection rules are turned on, theSSL/TLS module directs the DAQ layer to skip SSL/TLS processing for the flow. For encryptedtraffic, when SSL/TLS inspection rules have been set up, the DPI engine continues to modify trafficthroughout the connection lifetime. This ensures that the connection isn't dropped because the SSL/TLS connection has been modified for inspection.

Intrusion prevention and Application control: With application control turned on, the initialpackets are delivered to IPS for application identification. IPS classifies the application after afew packets and gives a policy verdict for application control, which may give new forwardingbehavior and QoS parameters. The DAQ layer communicates these decisions to the kernel and thehardware. From this point onward, the connection may be completely offloaded to FastPath.

IPS may pass a verdict to stop security processing based on factors, such as a safe signature orverdict from SophosLabs, a matching IPS policy with bypass action, or based on earlier guidelines.



Antivirus and Web filtering: If the IPS verdict is that the traffic is safe, antivirus scanningdoesn't take place. If web filtering applies, web traffic scanning continues until the end of the flow,depending on the HTTP responses.

From this point onward, FastPath offloads traffic from the kernel and handles layer 2 and layer 3processing. The ability to offload some or all processing minimizes load on the CPU.

How to enable FastPath with rules and policiesHere are examples of rules and policies that enable FastPath to handle traffic fully, bypassing thefirewall stack and the DPI engine:

• A firewall rule without IPS, web filtering, antivirus, or application control. Traffic is offloaded toFastPath after the initial packet passes through XG Firewall on either side of the connection.

• A firewall rule with application control policy. Traffic is offloaded to FastPath after about eightpackets.

• A firewall rule with IPS policy set to the rule action Bypass session. Traffic that matches IPSpolicy rules with this action is offloaded to FastPath.

• A firewall rule with the following policies:

◦ An IPS policy containing intelligent offload signatures from SophosLabs.

◦ Web filtering without malware and content scanning or DPI engine settings. For firewallrules with malware and content scanning and DPI engine settings, FastPath delivers trafficto the DPI engine directly, bypassing the firewall stack.

• No SSL/TLS inspection rules. For rules with the action set to Decrypt, FastPath delivers trafficto the DPI engine directly, bypassing the firewall stack.

• SSL/TLS inspection rules with the action set to Don't decrypt. For STARTTLS connections,traffic is offloaded to FastPath after 15 packets.

3.1.2 SSL/TLS inspection rulesWith SSL/TLS inspection rules, you can intercept and decrypt SSL and TLS connections over TCP,enabling XG Firewall to enforce secure connections between clients and web servers.

SSL/TLS inspection enables the prevention of malware transmitted through encrypted connections.

You can enforce policy-driven connections and decryption for inbound and outbound SSL/TLStraffic based on the traffic and risk level.

SSL/TLS inspection rules do not affect the decryption of traffic handled by the web proxy. Youspecify the method of web filtering (web proxy or the DPI engine) in firewall rules. By default, XGFirewall uses the DPI engine, applying SSL/TLS inspection rules to traffic matching the firewall rulecriteria.

SSL/TLS inspection rules are turned on by default for fresh installations. For deployments migratingfrom SFOS 17.5 and earlier, they're turned off by default. You can turn them on or off manually.

CAUTIONWhen SSL/TLS inspection rules are turned off, XG Firewall won't apply them to theconnections. The control center and log viewer won't show the SSL/TLS connectionand decryption details.



WarningAndroid devices are known to generate SSL/TLS certificate errors, causing decryptionto fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

Rule table actions• You can filter the rules by the source, destination, and rule ID.

• To reset the rule filter, select Reset filter.

Click More options to specify the following actions:

• To edit or delete a rule, select the action.

• To clone or add a rule next to an existing rule, select the action.

• To turn on or turn off a rule, select the switch.

To change the position of a rule, drag and drop the Rule handle ( ). XG Firewall evaluates rulesfrom the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluatesubsequent rules. Position the specific rules above the less specific rules.

SSL/TLS inspection rulesSSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detectedSSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination,users and groups, services, websites, and web categories. To take effect, the rule must find amatch in all criteria.

You need to select a decryption profile for each rule to specify the action for traffic with issues, suchas insecure protocol versions, SSL compression, unrecognized cipher suites, cipher algorithmsto block, certificate errors, or connections that exceed the firewall's decryption capabilities. Afterdecrypting and inspecting the traffic, XG Firewall re-encrypts the traffic with the re-signing certificateauthority that you specify.

You can use SSL/TLS inspection rules in these cases:

• Implement policy-driven decryption and meet compliance requirements.

• Prevent malware transmission through encrypted traffic.

• Apply web content policies to encrypted traffic to prevent unwanted uploads and downloadswithout obstructing general browsing.

Exclusions to SSL/TLS inspection rulesXG Firewall provides a default exclusion rule Exclusions by website or category that preventsconnections to certain websites from being decrypted. The rule has action set to Don't decrypt andthe decryption profile set to Maximum compatibility.

The rule is permanently positioned at the top of the SSL/TLS inspection rule table. SSL/TLSinspection rules are evaluated top down in the rule table.

The exclusion rule contains the following default exclusion lists:

• Local TLS exclusion list: The list is empty by default. You can add websites to this list bytroubleshooting in the Control center or Log viewer. To edit this list, go to Web > URLgroups.



• Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/TLS inspection and is updated through firmware updates.

TipTo add websites to the exclusion rule or remove them, edit the rule and add or removethe web categories or URL groups. Alternatively, go to Web > URL groups and editthe group Local TLS exclusion list.

You can exclude web categories, URL groups, users, source and destination IP addresses andnetworks by creating your own exclusion rules and placing them immediately below the defaultrule. Add only connections you don’t want to be decrypted by other SSL/TLS inspection rules to anexclusion rule.

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from beingdecrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see thetable below:

Functionality SSL/TLS exclusion list Web exception

Processes you can exclude • HTTPS decryption

• HTTPS certificate andprotocol enforcement

• HTTPS decryption

• HTTPS certificatevalidation

• Malware and contentscanning

• Sandstorm

• Web policy checks

Applies in this mode DPI mode • DPI mode

• Proxy mode

Applies to this traffic SSL/TLS connections on anyport.

• DPI mode: SSL/TLSconnections on any port.

• Proxy mode: SSL/TLSconnections on port 443.

Matching criteria URL group containing a listof websites (domain names)in plaintext. Includes thesubdomains of these domains.

URL pattern matches usingregular expressions.



Functionality SSL/TLS exclusion list Web exception

• Web categories

• Source and destinationzones, networks, and IPaddresses

• Services

• Users and groups

• Web categories

• Source and destination IPaddresses and IP ranges

Where to add the exception • Add domains andsubdomains to the LocalTLS exclusion list bytroubleshooting in theControl center or Logviewer.

• Go to Web > URLgroups and add websitesto a URL group beingused by an exclusion rule.

• Create or edit SSL/TLSinspection rules.

Add to Web > Exceptions.

SSL/TLS inspection settingsThese settings apply to all SSL/TLS inspection rules. You can specify the re-signing certificateauthorities (CAs), action for traffic we don’t decrypt, and the TLS downgrade setting. Inspectionsettings also allow you turn off SSL/TLS inspection to troubleshoot errors.

CAUTIONWe recommend that you turn it back on after troubleshooting.

The decryption profile that you add to an inspection rule overrides the inspection settings.

Firewall rules and web proxyXG Firewall applies the firewall rules first and then the SSL/TLS inspection rules. It applies theinspection rules in transparent mode based on the web proxy selection you make in the firewall rule.

Transparent mode: In the firewall rule, if you’ve selected decryption and scanning by web proxy,traffic over ports 80 and 443 is decrypted by the web proxy. SSL/TLS inspection rules will then beimplemented only for web traffic over other ports.

Explicit mode: Decryption and scanning is performed by the web proxy.



NoteThe web proxy uses the certificate specified in Web > General settings.

SSL/TLS inspection uses the certificates specified in SSL/TLS inspection settingsand Decryption profiles.

TroubleshootingTo see if SSL/TLS connections have been exceeding the decryption limit, go to Control center andselect the SSL/TLS connections widget.

To troubleshoot SSL/TLS errors, go to Control center, select the SSL/TLS connections widget,and select Fix errors in the upper-right corner.

If you don't see the connection and decryption details in the control center or the log viewer, makesure the following are turned on:

• SSL/TLS inspection rules: Go to Rules and policies > SSL/TLS inspection rules and turn theSSL/TLS inspection switch on.

• SSL/TLS engine: Go to Rules and policies > SSL/TLS inspection rules > SSL/TLSinspection settings. Under Advanced settings > SSL/TLS engine, select Enabled.

SSL/TLS inspection rules and the SSL/TLS engineSSL/TLS inspection: You can turn SSL/TLS inspection rules on or off. For deployments migratingfrom SFOS 17.5, the inspection rules are turned off by default to prevent potential behavioralchanges during the upgrade.

You must turn SSL/TLS inspection on to enable the new XStream SSL/TLS decryption functionality,including showing SSL/TLS connection statistics on the Control center.

When SSL/TLS inspection is set to On, XG Firewall works as follows:

• Inspects all traffic and identifies SSL/TLS connections.

• Applies SSL/TLS decryption rules and logs connections as required by the rules.

• Updates SSL/TLS connection statistics and shows them on the Control center.

When SSL/TLS inspection is set to Off, XG Firewall works as follows:

• Doesn't evaluate or apply SSL/TLS decryption rules.

• DPI engine doesn't decrypt SSL/TLS connections. XG Firewall still decrypts connectionshandled by the web proxy based on the firewall rule settings.

• Doesn't gather any SSL/TLS statistics. Won't update the statistics shown on the Controlcenter any longer.

• For traffic matching firewall rules that have a web policy specified, and are not configured touse the web proxy, the DPI engine still uses SSL/TLS inspection to enforce the policy on non-decrypted HTTPS connections.

SSL/TLS engine: You can enable or disable the SSL/TLS engine in SSL/TLS inspection settings.When you disable the engine, XG Firewall won't use the SSL/TLS inspection engine at all. Use thisoption only for troubleshooting purposes based on advice from Sophos Support. When the engine isdisabled, XG Firewall does the following:



• Won't evaluate or apply SSL/TLS decryption rules.

• Decrypts only traffic handled by the web proxy as specified in the firewall rules.

• Won't gather any SSL/TLS connection statistics. Won't update the statistics shown on theControl center any longer.

• The DPI engine won't apply web policies to any HTTPS traffic. This applies to traffic matchingfirewall rules that have a web policy specified, and haven't specified web proxy filtering.

3.1.3 SSL/TLS inspection settingsWith SSL/TLS inspection settings, you can specify the default settings to enforce secure protocolversions and occurrences.

You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after XGFirewall intercepts, decrypts, and inspects secure traffic. You can specify the settings to drop orreject non-decryptable traffic, which includes insecure protocol versions and occurrences, such asSSL compression and connections that exceed the decryption capabilities of the firewall. You candowngrade TLS 1.3 to TLS 1.2 connections if you face issues using TLS 1.3.

TipThe settings apply to all SSL/TLS inspection rules. You can override some SSL/TLSinspection settings by adding individual decryption profiles to inspection rules.

Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.

Re-signing certificate authoritiesSpecify the re-signing certificate authority for SSL/TLS connections intercepted by XG Firewall. Thedecryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.

Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show awarning and may refuse to complete the connection.

TipUnder most circumstances, this requires the installation of copies of the certificatesin the browsers or the operating system certificate stores of the endpoint devices.Alternatively, you can create and use signing certificates that are subordinate to anexisting trusted enterprise CA for your organization. It isn’t possible to obtain signingcertificates from CAs that are already trusted by operating systems or browsers.

Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption keys.In most situations, certificates of one type can be signed by certificate authorities of the other,allowing you to use the same CA for both. If you encounter problems with applications that expectcertificates of only one type, you can add an EC key and use it for re-signing certificates that wereoriginally signed by an EC-based authority. If you add a second CA, ensure that it is trusted by allendpoint devices.



Name Description

Re-sign RSA with Used when the website’s certificate was signedusing RSA. You can specify an EC or RSAcertificate.

Re-sign EC with Used when the website’s certificate was signedusing EC. You can specify an EC or RSAcertificate.

Non-decryptable trafficSpecify the action for the traffic we won't decrypt, such as insecure protocol versions andoccurrences. The decryption profile attached to an SSL/TLS inspection rule can override theseactions for the rule.

Name Description

SSL 2.0 and SSL 3.0 Allowing these connections lowers security.

SSL compression Compression before encryption has knownvulnerabilities.

When SSL/TLS connections exceed limit Applies to excess traffic when volume exceedsthe decryption capability of the firewall.

To see the decryption limit, go to Controlcenter and select the SSL/TLS connectionswidget.

Select the action for the traffic we won't decrypt:

• Allow without decryption

• Drop: Drops without notifying the source.

• Reject: Drops and sends a connection reset message to the source host.

NoteXG Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, andUnrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspectionrules.

To allow these connections, create a decryption profile set to Allow withoutdecryption. Add the profile to an SSL/TLS inspection rule with the action set to Don'tdecrypt.



TLS 1.3 compatibilityTLS 1.3 decryption

Select the action.

• Decrypt as 1.3

• Downgrade to TLS 1.2 and decrypt: Some servers and clients haven’t implemented TLS 1.3yet. Select this option if you experience issues using TLS 1.3.

CAUTIONAttackers can exploit vulnerabilities during the downgrade. Selecting the downgradeoption applies the setting to all SSL/TLS inspection rules.

For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to dothe following:

• Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLSgeneral settings.

• Block certificate errors and apply the minimum RSA key size specified in decryption profiles.

• Apply the block action Reject and notify specified in the decryption profile. If you apply such adecryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, XG Firewallapplies the block action Reject.

Advanced settingsSSL/TLS engine: Disable the engine only when you want to troubleshoot. Once you completetroubleshooting, enable it again.

WarningWhen you disable the engine, XG Firewall won't apply SSL/TLS inspection rules, andthe DPI engine won't apply the web policy specified in firewall rules to HTTPS traffic.However, this does not affect HTTPS decryption by the web proxy when web proxyfiltering is configured in firewall rules.

3.1.4 Add an SSL/TLS inspection ruleYou can specify policy-driven inspection rules to establish inbound and outbound SSL and TLSconnections over TCP between clients and web servers and decrypt the traffic.

SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detectedSSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination,users and groups, services, websites, and web categories. To take effect, the rule must find amatch in all criteria.

You can also add decryption profiles to enforce secure connections.

1. Go to Rules and policies > SSL/TLS inspection rules and click Add.

2. Enter the general details.



Name Description

Rule name Type a name.

Rule position Specify the position of the rule in the ruletable:

• Top

• Bottom

XG Firewall evaluates rules from the topdown until it finds a match. Once it finds amatch for the packet, it doesn’t evaluatesubsequent rules. To change the order of therules later, you can drag and drop the rule inthe rule table.

Action Select the action:

• Decrypt: Establishes connection anddecrypts

• Don't decrypt: Establishes theconnection and doesn’t decrypt. Use thisto create an exclusion rule.

Decryption profile restrictions also applyto rules with action set to Don't decrypt.

• Deny: Doesn’t establish connection

For TLS 1.3 connections, you need to setthe action to Decrypt in SSL/TLS inspectionrules to do the following:

• Apply the TLS compatibility settingDowngrade to TLS 1.2 and decryptspecified in SSL/TLS general settings.

• Block certificate errors and apply theminimum RSA key size specified indecryption profiles.

• Apply the block action Reject andnotify specified in the decryption profile.If you apply such a decryption profileto SSL/TLS inspection rules with Don'tdecrypt or Deny action, XG Firewallapplies the block action Reject.

Log connections Select to log the connections.



Name Description

Decryption profile Select a decryption profile or create one. Youcan't edit the default profiles.

Decryption profiles override the default SSL/TLS general settings for the re-signing CAand action for traffic we can't decrypt. Theyallow you to specify a policy-driven action forthe rule.


To allow these connections, create a decryption profile set to Allow withoutdecryption. Add the profile to an SSL/TLS inspection rule with the action set toDon't decrypt.

3. Select the source matching criteria.

Name Description

Source zones Select the zones from which trafficoriginates.

You can select only internal zones, sinceSSL/TLS inspection rules apply only tooutbound traffic.

Source networks and devices Select the source networks and devices orcreate new ones.

Users or groups Select the source users and groups. The rulewill then apply only to traffic originating fromthe specified users.

4. Select the destination and service matching criteria.

Name Description

Destination zones Select the destination zones of traffic.

Destination networks Select the destination networks or createnew ones.



Name Description

Services Select the services or create a new service.A service is a combination of protocols andports.

SSL/TLS connections aren’t enforced overUDP.

5. Specify the settings for websites and web categories.

Name Description

Categories and websites Select the web categories and websites.

To add an individual website, go to Web >URL groups or Categories and add thewebsite to an existing or new object. Youcan then select the object in the SSL/TLSinspection rule.

XG Firewall identifies web categories andwebsites based on the SNI (Server NameIndication) in the SSL/TLS handshake.

NoteXG Firewall enforces SSL/TLS inspection rules and the URL groups you specifyif you have a Base License. You can configure web categories, but can't enforcethem without a Web Protection license.

6. Select Save.

3.1.5 Decryption profilesDecryption profiles enable you to enforce decryption settings on SSL/TLS connections.

• To clone a decryption profile, click Clone .

• To edit a decryption profile, click Edit .

You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after XGFirewall intercepts, decrypts, and inspects secure traffic. You can also specify the action for trafficthat can't be decrypted due to issues such as insecure protocol versions, unrecognized ciphersuites, SSL compression, or connections that exceed the firewall's decryption capabilities.

You can specify the action for certificate validation errors and insecure cipher algorithms. You canalso enforce an RSA key size and SSL/TLS versions to use.



TipWhen you specify a setting in both the decyption profile and SSL/TLS inspectionsettings, the settings in the decryption profile override the settings in SSL/TLSinspection settings.

NoteYou can't edit the default profiles.

The default profiles are as follows:

Maximum compatibility: Decrypts as many connections as possible. Doesn't restrict cipher usage.

Block insecure SSL: Prevents the use of weak ciphers. Allows non-decryptable traffic.

Strict compliance: Implements strict compliance. Use this to meet PCI DSS (Payment CardIndustry Data Security Standard) specifications.

3.1.6 Add a decryption profileDecryption profiles enable you to enforce decryption settings on SSL/TLS connections.

WarningAndroid devices are known to generate SSL/TLS certificate errors, causing decryptionto fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

1. Go to Profiles > Decryption profiles and click Add.

2. Type a name.

3. Optional Add a description.

4. Specify the re-signing certificate authority for SSL/TLS connections intercepted by XG Firewall.

Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers willshow a warning and may refuse to complete the connection.

TipUnder most circumstances, this requires the installation of copies of thecertificates in the browsers or the operating system certificate stores of theendpoint devices. Alternatively, you can create and use signing certificates thatare subordinate to an existing trusted enterprise CA for your organization. Itisn’t possible to obtain signing certificates from CAs that are already trusted byoperating systems or browsers.

Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryptionkeys. In most situations, certificates of one type can be signed by certificate authorities of theother, allowing you to use the same CA for both. If you encounter problems with applicationsthat expect certificates of only one type, you can add an EC key and use it for re-signingcertificates that were originally signed by an EC-based authority. If you add a second CA,ensure that it is trusted by all endpoint devices.



Name Description

Use CAs defined in SSL/TLS settings Uses the certificate authority specified inSSL/TLS inspection settings.

Re-sign RSA with Used when the website’s certificate wassigned using RSA.

You can specify an EC or RSA certificate.

Re-sign EC with Used when the website’s certificate wassigned using EC.

You can specify an EC or RSA certificate.

5. Specify the action for non-decryptable traffic, such as insecure protocol versions, occurrences,and cipher suites.

Name Description

SSL 2.0 and SSL 3.0 Allowing these connections lowers security.

SSL compression Compression before encryption has knownvulnerabilities.

When SSL/TLS connections exceed limit Applies to excess traffic when volumeexceeds the decryption capability of thefirewall.

To see the decryption limit, go toControl center and select the SSL/TLSconnections widget.

Unrecognized cipher suites Firewalls can’t decrypt traffic usingunrecognized cipher suites. Usingunrecognized cipher suites lowers security.

Action for non-decrytable traffic:

• Use SSL/TLS settings default: Applies the action specified in SSL/TLS inspection settings.This option doesn’t apply to unrecognized cipher suites.

• Allow without decryption

• Drop: Drops without notifying the source.

• Reject: Drops and sends a connection reset message to the source host.




To allow these connections, create a decryption profile set to Allow withoutdecryption. Add the profile to an SSL/TLS inspection rule with the action set toDon't decrypt.

6. Specify the certificate, protocol, and cipher enforcement details.

Name Description

Certificate errors to block Select the certificate errors. XG Firewallblocks connections that have the specifiederrors.

• Invalid date

• Self-signed

• Untrusted user

• Revoked

• Name mismatch: Checks that the servername requested in the Client Hellomatches the domain names representedby the certificate.

• Invalid for other reasons

If you created an exception for HTTPSdecryption in Web > Exceptions, XGFirewall allows traffic with invalid certificatesif the traffic matches the exception criteria.

Minimum RSA key size Select a minimum key length.

Keys less than 2048 bits are no longerconsidered secure. Allow them only if it'snecessary to ensure compatibility with olderservers that can't be upgraded.

Minimum SSL/TLS version Select the minimum protocol version toallow.

Versions earlier than TLS 1.2 are no longerconsidered secure. Allow them only if it'snecessary to ensure compatibility.



Name Description

Maximum SSL/TLS version Select the maximum protocol version toenforce.

To implement the latest available version,select Maximum supported. When alater protocol version becomes available,XG Firewall will implement that versionautomatically.

Cipher algorithms to block Select the key exchange, authenticationmechanism, bulk ciphers, and hashalgorithms to block.

Block action Select the action to apply.

• Drop: Drops without notifying thesource.

• Reject: Drops and sends a connectionreset message to the source host.

• Reject and notify: Establishes theconnection but prevents any datatransfer with the server. For HTTPSconnections, attempts to display a blockpage with the error reason to the user.

For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules todo the following:

• Block certificate errors and apply the minimum RSA key size specified in decryptionprofiles.

• Apply the block action Reject and notify specified in the decryption profile. If you applysuch a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action,XG Firewall applies the block action Reject.

7. Select Save.

Go to Rules and policies > SSL/TLS inspection rules and add the decryption profile to a rule tospecify the action.

3.2 Sandstorm threat intelligence analysisSophos Sandstorm gains an added layer of artificial intelligence protection. All suspicious files arenow subject to threat intelligence analysis in parallel with full sandbox analysis. Files are checkedagainst the Sophos Labs threat intelligence database and subjected to our industry-leading deeplearning. This identifies new and unknown malware quickly and efficiently, often rendering a verdictin seconds, to stop the latest zero-day threats before they get on the network.



3.2.1 Threat intelligence widget improvementsThe Threat intelligence, formally shown as Sandstorm, widget on the dashboard now showsnew files, incidents and total scanned files to give a clearer picture of threats seen by SophosSandstorm.

3.2.2 Threat intelligence reporting changesThe Threat intelligence report has been improved to give greater insight into threats seen on thenetwork.

Threat intelligence uses multiple different analysis techniques and combines these to determine if afile is likely to be malicious or not. This gives you more information and helps reduce false positivedetections. You can also view the analysis, release status, report details and release files or emails.

• To view details of a scan, hover over the detection status of an entry. This shows a briefoverview detailing the threat result at each stage of Sandstorm processing. To view the fullreport, select View report.

• To filter the results, click Filter and specify criteria.

• To view the details of Sandstorm analysis, select the more options button, , and then selectShow report.

Reports contain the following:

• Download details: For example, the source, download time, and users who downloaded the file.

• Analysis summary: Shows the overall Sandstorm result of the file. Files can be classified asclean, likely clean, suspicious, malicious, or PUA (Potentially Unwanted Application). You canalso see an overview of the main file details.

• Machine learning analysis: Showing the overall machine learning result, file feature analysis,feature combination analysis and the file structure analysis.

• Reputation analysis: The result of this is based on how widely the specific file has been seen.

• Sandstorm detonation results. Shows the activities the file carries out, screenshots of thefile being run in Sandstorm, details of the processes the file uses and the registry activitygenerated.

• Full file analysis: Shows full details of the file. This section also contains details of the filesignatures and any certificates used, the resources called, imports carried out, such as DLLsused and any export functionality.

• VirusTotal report: Shows how many reports for the specific threat are currently shown in theVirusTotal database and the number of malware detection products that currently detect thefile.

When you release a file, users can download it immediately. Only files that are currently beinganalyzed or that have been returned with error status are eligible for release. Sandstorm continuesto analyze the file even if you release it.



CAUTIONReleasing an item before the analysis is complete may result in the downloading ofmalicious content.

• To release a file or email message, click Release now.

3.3 Sophos Central Firewall Reporting andManagementThis release includes support for new firewall reporting and management capabilities beinglaunched simultaneously on Sophos Central including a rich powerful new reporting suite and groupfirewall management tools.

Go to Central synchronization.

Sophos Central servicesFrom XG Firewall, you can turn on centralized reporting, management, and configuration backup inSophos Central. To use this feature, register this firewall with Sophos Central.

After turning on the services, a Super admin must take action in Sophos Central to activate theseservices.

Name Description

Sophos Centralservices

Turn it on to configure centralized reporting, management, andconfiguration backup of this XG Firewall from Sophos Central.

In Sophos Central, select Global settings. Under Administration,select Registered firewall appliances to see the list of registeredappliances.

Use Sophos Centralreporting

Select to turn on centralized reporting.

In Sophos Central, go to Firewall management > Firewalls. Go to thefirewall and select Accept services.

Use Sophos Centralmanagement

Select to turn on centralized management.

In Sophos Central, go to Firewall management > Firewalls. Go to thefirewall and select Accept services.

Send configurationbackup to SophosCentral

If you've selected Use Sophos Central management, select this tosave configuration backups in Sophos Central.

In Sophos Central, go to Firewall management > Backup. Specify abackup schedule or generate the backup.

For details of centralized reporting and management, go to Sophos Central help.



3.4 NAT EnhancementsXG Firewall’s NAT configuration receives a major update as NAT rules are now decoupled fromFirewall Rules enabling more powerful and flexible configuration options including Source (SNAT)and Destination (DNAT) in a single rule. NAT Rules can still be “snapped-in” to a Firewall Rule andedited in-place similar to other snap-in policies such as IPS and Web policies.

3.4.1 NAT rulesWith Network Address Translation (NAT), you can modify the IP addresses and ports of trafficflowing between networks, generally between a trusted and an untrusted network.

You can create source NAT (SNAT) and destination NAT (DNAT) rules to enable traffic flowbetween private and public networks by translating non-routable, private IP addresses to routable,public IP addresses. You can create NAT rules for IPv4 and IPv6 networks.

You can specify loopback and reflexive rules for a destination NAT rule. These rules remainindependent of the original rule from which they’ve been created. Changing or deleting the originalNAT rule doesn’t affect them.

Linked NAT rules are SNAT rules and are created from firewall rules. XG Firewall automaticallyadds a linked NAT rule to match traffic for email MTA mode.

To allow traffic flow between overlapping local subnets, you need to configure NAT over policy-based IPsec VPN on VPN > IPsec connections. For details, go to knowledge base article 123356.

• To add a NAT rule manually, select Add NAT rule and then select New NAT rule.

• To create destination NAT rules and the related firewall rules automatically, select Add NATrule and then select Server access assistant (DNAT).

Server access assistant (DNAT)Use this to create DNAT rules to translate incoming traffic to servers, such as web, mail, SSH, orother servers, and to access remote desktops. The assistant also creates a reflexive SNAT rule (foroutbound traffic from the servers), a loopback rule (for internal users accessing the servers), and afirewall rule (to allow inbound traffic to the servers) automatically.

Rule table actions• To see IPv4 or IPv6 rules in the rule table, select IPv4 or IPv6.

• To hide or show the rule filter, select Disable filter and Enable filter respectively.


• To turn off rules, select the rules and then select Disable.

• To delete rules, select the rules and then select Delete.

• To change the sequence of a rule, drag and drop the Rule handle button . XG Firewallevaluates rules from the top down until it finds a match. Once it finds a match for the packet, itdoesn’t evaluate subsequent rules. So, position the specific rules above the less specific rules.

Click More options to specify the following actions:






• To add a rule next to an existing rule, select the action.

• To unlink a rule from the firewall rule, select Unlink rule.

• To reset the number of times a rule was in use, select Reset usage count. This is useful whentroubleshooting.

Firewall rules and NAT rulesNAT rules enforce address translation. You must also create firewall rules to allow the traffic toenter or exit the network.

For NAT rules, the matching criteria are the original (pre-NAT) source, destination, and service andthe inbound and outbound interfaces. For outgoing traffic, XG Firewall applies the firewall rule firstand then the source NAT rule.

However, for incoming traffic, XG Firewall applies the destination NAT rule first and then the firewallrule. In the firewall rule, the destination zone becomes the zone to which the translated (post-NAT)destination belongs.

Source NATYou can create source NAT rules for outgoing traffic to enable internal clients and servers to accessexternal hosts. XG Firewall implements one-to-one, many-to-one, and many-to-many translation.Some of these involve port address translation.

You can also define interface-specific NAT to translate the IP addresses of one or more internalhosts to the IP address you specify for an outbound interface.

You can’t create a source NAT rule using a public interface that’s a bridge member because bridgemembers don’t belong to a zone. If you configure a public interface as a bridge member, sourceNAT rules using the interface are deleted.

Destination NATYou can create destination NAT rules for incoming traffic to enable external hosts to access internalclients and servers. You can specify one-to-one, many-to-one, many-to-many, and one-to-manytranslation from your public IP addresses to private IP addresses.

You can also specify a load balancing method and health check for the translated destination hosts,for example, web or email servers.

Service translationXG Firewall implements port forwarding with service translation. Services are a combination ofprotocols and ports. The translated protocol must match the original protocol.

XG Firewall implements one-to-one, many-to-one, and many-to-many translation. For many-to-many translation, the ports for the original and translated services must be equal in number.



NoteThe web admin console of XG Firewall and the user portal are accessible over HTTPSthrough the default ports 4444 and 443 respectively. If your public IP addresses areconfigured with HTTPS port forwarding to internal web servers, go to Administration> Admin settings and specify unused ports for the Admin console HTTPS portand the User portal HTTPS port. Alternatively, specify a different port for your webservers.

Loopback rulesYou can create loopback rules from destination NAT rules to allow internal hosts to communicatewith other internal hosts over the external IP address or the domain name. For example, create adestination NAT rule to translate incoming traffic to your servers and create a loopback rule.

To create a loopback rule, specify the following destination NAT rule criteria:

• Original source: Any

• Translated source: Original

• Translated destination: Don’t set to original.

Reflexive rulesYou can create a mirror NAT rule for destination NAT rules. It reverses the matching criteria ofthe destination rule. For example, create a destination NAT rule to translate incoming traffic toan internal server. The corresponding reflexive rule will allow traffic from the server to the sourcespecified in the destination NAT rule.

If the original destination isn’t an IP address or is translated, the translated source is masqueraded.

Linked NAT rulesYou can create linked NAT rules with firewall rules. These are source NAT rules and will appear inthe NAT rule table.

All the matching criteria of a firewall rule, including users and schedule apply to its linked NAT rule.You can’t edit these settings in the NAT rule. You can specify only the translated sources, includinginterface-specific translated sources in a linked NAT rule.

XG Firewall matches linked NAT rules only with traffic related to the firewall rule that it’s linked to.However, if it finds a match with a rule above the linked NAT rule, it applies the settings specified inthe first rule.

Migrated NAT configurationsWhen you migrate from an earlier version to SFOS 18.0, XG Firewall migrates the NAT settings offirewall rules as NAT rules and lists them in the NAT rule table. You can't define a gateway-basedNAT configuration any longer.

Source NAT settings are migrated as linked NAT rules. These rules are linked to the original firewallrule. You can identify these by the firewall rule ID and name in the NAT rule table.

Destination NAT settings are migrated as independent NAT rules and aren’t linked to a firewall rule.



Pre-migration rules Post-migration rules

User/Network rules Source or destination NAT rules based on thepre-migration criteria.

Email clients Source NAT rules

DNAT/Full NAT/Load balancing Destination NAT rules with correspondingfirewall rules.

Email servers Destination NAT rules

NAT settings are migrated as follows:

Source NAT (SNAT) rules:

• Masqueraded and translated source addresses are migrated as they are.

• If the rule wasn’t configured with gateway-specific NAT, the translated destination is set toMASQ.

• Default source NAT rules aren’t created for public interfaces that are bridge members.

User-network rules with gateway-specific NAT policy and email client (business application)rules: These are migrated as firewall rules and linked (source) NAT rules. The migrated NAT ruleswill have the following settings:

• Inbound and outbound interfaces are set to Any.

• Translated destination is set to Original.

• Override source translation for specific outbound interfaces is selected in the migratedNAT rule.

Translated source for the outbound interface is set based on the following pre-migrationconfigurations:

Gateway-interface relationship beforemigration

Translated source after migration

Gateway doesn’t have an interface attached Not migrated

Interface attached to the specified gatewayisn’t attached to another gateway

NAT policy host of the gateway

Interface attached to the specified gateway isalso attached to the default gateway

• NAT policy host of the default gateway

• Original for the other gateways



Gateway-interface relationship beforemigration

Translated source after migration

Interface attached to the specified gatewayis attached to other gateways (and not to thedefault gateway)

• NAT policy host of the first gateway

• Original for the other gateways

Override default NAT policy for specificgateway was selected

NAT policy host of the specified gateway (notthe default NAT policy host)

Destination NAT rules: When you migrate a destination NAT (business application) rule, thecorresponding migrated NAT rule lists inbound interfaces based on the source zone. They are asfollows:

• Interfaces that belong to the source zone specified in the destination NAT rule.

• Bridge interface, if it belongs to the source zone.

• The default Any if no interface belongs to the source zone.

Destination NAT rule with source NAT rule: DNAT rules are migrated as independent firewall andNAT rules. If a reflexive rule was selected, it is migrated as a firewall rule and a linked NAT rule.

Email server (business application) rules: Their migration follows the DNAT rule migrationprinciples. Other migration settings are as follows:

Email server rules Migrated settings

Users and groups Migrated to firewall rules

Allowed client networks Source networks and devices in firewall rules

Blocked client networks Exclusions to Source networks and devices infirewall rules

Protected zones Destination zones are set to Any in firewallrules

Protected zones in reflexive rule Source zones in firewall rules

Protected servers Translated destination (DNAT) in destinationNAT rules

Protected servers in reflexive rule Source networks and devices in firewall rules



Clean up linked NAT rules in the rule tableSource NAT settings are migrated as linked NAT rules. These rules are linked to the original firewallrule.

When you migrate to SFOS 18.0, many linked NAT (source NAT) rules may be created in theNAT rule table. They are linked to firewall rules that didn't have NAT settings configured or hadimplemented NAT based on users and schedule prior to migration.

We didn't prune these rules automatically to ensure that there's no behavior change after migration.However, you can delete them. They are linked NAT rules with the following criteria:

• Translated source set to MASQ.

• Linked to firewall rules that have destination zone set only to WAN.

At the bottom of the rule table, we added a default source NAT rule (Default SNAT IPv4 orDefault SNAT IPv6) with translated source set to MASQ. The rule is turned off by default. You canreposition this rule to replace the deleted rules and turn it on.

In the NAT rule table, the box below the rule filtering menu gives the following options for theselinked NAT rules:

• Understood. Don't delete rules: Won't delete the rules. Won't show the box again.

• Delete linked NAT rules (only MASQ; Destination: WAN): Deletes the linked NAT rules withtranslated source set to MASQ and linked to firewall rules that have destination zone set only toWAN.

• Select the X button on the upper right to hide the box temporarily. The box reappears when youopen the page later.

3.4.2 Add a NAT ruleYou can create NAT rules to modify the IP addresses and ports of traffic flowing between networks,generally between a trusted and an untrusted network.

You can specify source NAT rules for traffic originating from the specified source address anddestination NAT rules for traffic to the specified destination address. You can also specify loopbackpolicies to translate traffic from internal sources to internal servers.

To create a source NAT rule, specify the original and translated sources and the inbound andoutbound interfaces.

To create a destination NAT rule, specify the original and translated destinations and services, andthe inbound and outbound interfaces.

NAT method in destination rules allows you to enforce load balancing and failover for internal hosts.You can specify health checks to enforce the load balance and failover settings.

1. Go to Rules and policies > NAT rules. Select IPv4 or IPv6 and then select Add NAT rule.

2. The rule is turned on by default.

3. Enter the rule details.

Name Description




Name Description

Rule group Select a rule group or create one. Thefirewall rule will belong to this group.

If you select Automatic, the firewall rule isadded to an existing group based on firstmatch with rule type and source-destinationzones.

4. Specify the translation settings for source, destination, services, and interfaces to match trafficflowing through interfaces and VPN tunnels.

Original source, destination, and service are the pre-NAT entities of traffic when it enters XGFirewall. Translated source, destination, and services are the post-NAT entities of traffic whenit exits XG Firewall. You can select the original source, destination, and services or create newones.

Name Description

Original source Specify the pre-NAT source objects ofoutgoing traffic.

To create an inbound NAT rule when theinbound IP address is unknown, select Any.

Translated source (SNAT) IP addresses of the original source objectsare translated to the IP addresses that youspecify. Use this to perform source NAT(SNAT) for outgoing traffic. To masqueradetraffic, select MASQ.

To create an inbound NAT rule, selectOriginal.

Original destination Specify the pre-NAT destination objects ofincoming traffic.

To create an outbound NAT rule, select Any.

Translated destination (DNAT) IP addresses of the destination objects aretranslated to the IP addresses or FQDN thatyou specify.

To create an outbound NAT rule, selectOriginal.

Original service Specify the pre-NAT services. Services are acombination of protocols and ports.

To create an outbound NAT rule, this isgenerally set to Any.



Name Description

Translated service (PAT) Original services are translated to theservices that you specify. Use this for portaddress translation (PAT).

If you've specified more than one originalservice or set it to Any, set the translatedservice to Original.

The translated protocol must match theoriginal protocol. You can translate originalservice ports to a single or equal number oftranslated service ports.

You can use this to port forward traffic tointernal servers, for example, specify TCPport 443 to forward incoming HTTPS trafficto an internal web server.

Inbound interface Select the interfaces through which trafficspecified in this rule enters XG Firewall.

For destination NAT, you can specify Any.

For VPNs, set this interface to Any, sinceVPNs are not interfaces.

Outbound interface Select the interfaces from which trafficspecified in this rule exits XG Firewall.

For VPNs and for destination NAT rules thattranslate public IP addresses to private IPaddresses, set this interface to Any.

5. Optional Select Override source translation for specific outbound interfaces to applyinterface-specific source translation. This option applies only to source NAT rules.

a. Select the Outbound interface and Translated source (SNAT). To specify more thanone, select Expand .

6. Optional Select Create loopback rule to allow internal hosts to access other internal hosts,for example, servers.

7. Optional Select Create reflexive rule to create a mirror rule that reverses the matchingcriteria of the rule from which it’s created.

NoteYou can create loopback and reflexive rules for destination NAT rules. They arecreated, using the original NAT rule ID and name. Changing the original NAT rulesettings later doesn’t change loopback and reflexive rule settings.

8. Optional Select the Load balancing method to load balance traffic among the translatedinternal hosts.



Option Description

Round robin Requests are served sequentially, startingwith the server next to the previouslyassigned server. Use it when you want todistribute traffic equally and don’t requiresession persistence.

First alive Incoming requests are served to the primaryserver (the first IP address of the range).If the primary server fails, requests areforwarded to the next server and so on. Useit for failover.

Random Requests are served randomly to the serverswith equal load distribution. Use this whenyou want equal distribution and don’t requiresession persistence or order of distribution.

Sticky IP Traffic from a specific source is forwarded tothe mapped server. Use this when you wantthe requests to be processed by the sameserver.

One-to-one Requests are sent to the mapped IPaddresses. The IP addresses of the originaland translated destinations must be equal innumber.

9. Optional Select Health check to enforce server failover. Specify the probe interval, responsetime-out and the number of retries after which to deactivate the host.

Health check is enforced by default for First alive NAT method.

a. Select the Probe method. You can select ICMP (ping) or TCP protocols.

b. Enter the Port over which to check.

c. Specify the Probe interval. It’s the interval between health checks.

d. Specify the Response time-out. The server must respond within this time period to beconsidered alive.

e. For Deactivate host after, specify the number of retries.

10. Select Save.

3.4.3 Add a DNAT rule with server access assitantThe server access assistant helps you create destination NAT (DNAT) rules for inbound traffic tointernal servers.

Use this to create DNAT rules to translate incoming traffic to servers, such as web, mail, SSH, orother servers, and to access remote desktops. The assistant also creates a reflexive SNAT rule (foroutbound traffic from the servers), a loopback rule (for internal users accessing the servers), and afirewall rule (to allow inbound traffic to the servers) automatically.

Creating NAT and firewall rules that meet basic requirements using the server access assistant is asimple process. To add other rule settings, you can edit these rules later.

1. Select the server access assistant from the following options:



• Go to Rules and policies > NAT rules. Select IPv4 or IPv6 and then select Add NATrule. Select Server access assistant (DNAT).

• Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Addfirewall rule. Select New firewall rule Select Server access assistant (DNAT).

2. Specify the settings:

Option Description

Internal server IP address To specify the internal server to accessfrom the internet, select an internal IP host.Alternatively, you can enter a private IPaddress.

If you enter an IP address, XG Firewallautomatically creates an IP host with theassigned name. You can change the name.

To specify more than one server, edit therules later.

Public IP address Select a public IP address or WAN interface.Alternatively, you can enter a public IPaddress.

If you enter an IP address, XG Firewallautomatically creates an IP host with theassigned name. You can change the name.

To specify more than one public interface orIP address, edit the rules later.

Services Select the services users can access on theinternal server.

You can't create new services here. You canadd them before you create the rules withthe server access assistant or when you editthe rules later.

To specify port translation, edit the ruleslater.

External source networks and devices Select the source networks and devices fromwhich users can access the internal server.

To automatically create a loopback rule forinternal users to access the server, selectAny.

Save and finish Review the settings and rules. Save thesettings.



The server access assistant creates DNAT, reflexive SNAT, and loopback NAT rules for addresstranslation and a firewall rule to allow inbound traffic to internal servers. The rules are added at thetop of the NAT and firewall rule tables and are turned on by default.

The reflexive and loopback rule names carry the name and rule ID of the DNAT rule created. Thefirewall rule name carries the DNAT rule name.

What next

• Reposition the rules in the NAT and firewall rule tables to meet your requirements. XG Firewallevaluates rules from top down.

• Edit the rules to specify other settings, if required.

• Create a firewall rule to allow outbound traffic matching the reflexive NAT rule, if required.

3.5 Improvements in managing firewall rulesFirewall rule management includes a new Add filter option with several fields and conditions tochoose from. Adding a filter makes it easier to find firewall rules based on the selected filter criteria.Once selected, filters stay selected even when you move to other configuration screens.

You can manage multiple firewall rules at the same time (for example, select multiple rules todelete, enable or disable, attach to a group). Movement of rules across screens is possible,providing ease of use and management for larger rule sets.

Within the firewall rule there is an exclusion feature that provides a “negate” option in the matchingcriteria to reduce the management and ordering overhead of multiple rules. There’s also a UI optionto reset the data transfer counter for a firewall rule to improve troubleshooting.

Server access assistant (DNAT)Use this to create DNAT rules to translate incoming traffic to servers, such as web, mail, SSH, orother servers, and to access remote desktops. The assistant also creates a reflexive SNAT rule (foroutbound traffic from the servers), a loopback rule (for internal users accessing the servers), and afirewall rule (to allow inbound traffic to the servers) automatically.

Rules and rule groupsYou can create firewall rules and add them to rule groups.

XG Firewall evaluates firewall rules, not rule groups to match criteria with traffic. It uses thematching criteria of rule groups only to group firewall rules.

Default rules

XG Firewall creates default rule groups containing a firewall rule to drop traffic to WAN, DMZ, andinternal zones (LAN, Wi-Fi, VPN, and DMZ). These rules are turned off by default.

A firewall rule for email MTA is automatically created along with a linked NAT rule when you turn onMTA mode. MTA mode is turned on by default.

The default Drop all rule is assigned ID 0. The rule drops traffic that doesn’t match the criteria ofany firewall rule. It's positioned at the bottom of the rule table. You can’t edit, delete, or move thisrule. It doesn’t show the usage count. Filters don't apply to it.

Rule groups

You can’t create rule groups without a firewall rule. So, create a rule group when you create a rulefrom the rule template or with an existing rule from the rule table.



You can add a firewall rule to a rule group or detach it from the group. Empty rule groups can't exist.When you delete the last rule from a rule group, the rule group is deleted.

Rule table actions• To see IPv4 or IPv6 rules in the rule table, select IPv4 or IPv6.

• To hide or show the rule filter, select Disable filter or Enable filter.

• To turn on or turn off rules or rule groups, select them and select Enable or Disable.

If you select a combination of turned on and turned off rules, you can't use these buttons.

• To delete rules or rule groups, select them and select Delete.

• To filter the rules by any rule parameter, select Add filter and then select a field name and itsoption.

When you apply the filter, you can't select a rule group because groups may contain acombination of turned on and turned off rules. However, you can select individual rules.


• To view the rule details in the rule table, pause over the icons under Feature and service.

• To turn off rules or rule groups, select them and select Disable.

• To edit a rule group, click Edit .

• Hash (#) indicates the rule position. To change the position of a rule or rule group, drag anddrop the Rule handle ( ). XG Firewall evaluates rules from the top down until it finds a match.Once it finds a match for the packet, it doesn’t evaluate subsequent rules. So, position thespecific rules above the less specific rules.

You can change the position of a rule within the rule group. To change its position beyond thegroup, detach the rule from the group or change the position of the group.

Click More options to specify the following rule actions:


• To reset the data transferred, select Reset data transfer count. This is useful whentroubleshooting.

To see the data transferred using a rule, go to Reports > Dashboards. Select Trafficdashboard and scroll down to Allowed policies.


• To add or clone a rule next to an existing rule, select the action.

• To detach a firewall rule from a group, select Detach.

Rule group actions: Click More options next to a rule to specify rule group actions.

• You can create a rule group for rules that aren’t attached to a rule group. Select New groupunder Add to group next to the rule. Enter a Group name and specify the Rule type and thesource and destination zones.

• To add a rule to a rule group, select a group or add a new group.



• To delete a rule group, click Delete .

Linked NAT rulesThese are source NAT rules and are listed in the NAT rule table. You can identify them by thefirewall rule ID and name.

XG Firewall applies firewall rules before it applies source NAT rules. If a NAT rule above the linkedrule meets the matching criteria, XG Firewall applies that rule and doesn’t look further for the linkedrule. However, linked NAT rules apply only to traffic that matches the firewall rule they are linked to.

You can unlink a linked NAT rule from the NAT rule table. Once you unlink the rule from the originalfirewall rule, you can edit the NAT rule. It will now be evaluated independent of the original firewallrule based on its criteria and not the original firewall rule criteria.

NAT and routing migrationNAT configuration

When you migrate from an earlier version to SFOS 18.0, XG Firewall migrates the NAT settings offirewall rules as NAT rules and lists them in the NAT rule table. It no longer offers gateway-basedNAT configuration.

XG Firewall uses the firewall rule ID to match traffic with migrated NAT rules. For details of NATmigration from versions earlier than SFOS 18.0, go to NAT rules (page ).

Routing configuration

In SFOS 18.0 and later versions, you need to specify routing policies in SD-WAN policy routing.Firewall rules no longer include routing settings. When you migrate from an earlier version, XGFirewall migrates the routing settings in firewall rules as Migrated SD-WAN policy routes. You cansee them in the SD-WAN policy routing table. You can identify these migrated policy routes by thefirewall rule ID and name.

XG Firewall uses the firewall rule ID to match traffic with migrated routes. For details of policy routemigration from versions earlier than SFOS 18.0, go to Migrated SD-WAN policy routes (page )

Migrated firewall rules: Rule behaviorIn SFOS 17.5 and earlier, although business application rules and user-network rules were listed ina single rule table, XG Firewall evaluated these rule types independently to find matching criteria.

For system-destined traffic (example: accessing XG Firewall services) and incoming traffic(example: traffic to internal servers) that matched a destination NAT rule, it ignored user-networkrules and matched the traffic with business application rules.

From SFOS 18.0, XG Firewall has removed the distinction between business application and user-network rules. It now offers both as firewall rules. To ensure that the consolidation does not affectthe rule-matching behavior of earlier versions, it will continue to ignore migrated user-network rulespositioned above migrated business application rules for system-destined and incoming traffic.

Web server rules and protection policies: XG Firewall has merged some protection categories intoa single category, mapped filter rules to new rule IDs, and introduced filtering strength levels. Fordetails, go to protection policies for web servers.

3.5.1 Add firewall ruleYou can select web server protection rules from the firewall rule. You can specify web filteringthrough the web proxy instead of through the DPI engine.


unique_21

unique_21

unique_21

unique_22

unique_22

unique_22


Create rules for IPv4 or IPv6 networks. Specify the matching criteria, such as source, destination,services, and users during a time period. Select the policies and the scanning action to apply.Select the action to enforce on Synchronized Security endpoints and servers.

1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 protocol and select Addfirewall rule. Select New firewall rule.

2. Rules are turned on by default. You can turn off a rule if you don't want to apply its matchingcriteria.

3. Enter the general details.

Name Description


Rule position Specify the position of the rule in the ruletable:

• Top

• Bottom

XG Firewall evaluates rules from the topdown until it finds a match. Once it finds amatch, it doesn’t evaluate subsequent rules.You can change the rule sequence in therule table.

Rule group Select a rule group or create one. Thefirewall rule will belong to this group.

If you select Automatic, the firewall rule isadded to an existing group based on firstmatch with rule type and source-destinationzones.

Action Select an action:

Accept: Allows traffic

Drop: Drops traffic without notification

Reject: Drops traffic and sends an ICMPport unreachable message to thesource.

Protect with web server protection: Selectthis and specify the web server protection(WAF) details to control web applicationtraffic.



Name Description

Preconfigured template If you’ve selected web server protection,select a template to apply:

None: Specify the web server protectiondetails.

Exchange Autodiscover

Exchange Outlook Anywhere

Exchange General

Microsoft Lync

Microsoft Remote Desktop Gateway 2008and R2

Microsoft Remote Desktop Web 2008 andR2

Microsoft Sharepoint 2010 and 2013

Log firewall traffic Select to log all traffic that matches this rule.By default, logs are stored on XG Firewall.

To add a syslog server and save logs onthe server, go to System services > Logsettings.

NoteSessions are logged whena connection is terminatedupon receiving a connection"Destroy" event. Connectionsthat are terminated without a"Destroy" event being seen byXG Firewall, such as duringthe loss of internet connection,aren't logged.

4. Select the source matching criteria.

Name Description

Source zones Select the zones from which trafficoriginates.

Source networks and devices Select the source networks and devices orcreate new ones.

During scheduled time Select a schedule or create one. XG Firewallmatches the rule criteria during the timeperiod and day of the week that you select.



5. Enter the destination and service matching criteria.

Name Description

Destination zones Select the destination zones in which thetraffic terminates.

Destination networks Select the destination networks or createnew ones.

Services Select the services or create a new service.Services are a combination of protocols andports.

6. Specify the user identity criteria.

Name Description

Match known users Select to add user identity as a matchingcriterion.

Use web authentication for unknownusers Select to authenticate unknown users who

try to access the web. These are userswho’ve signed in to their endpoint devices,but have not been authenticated.

To specify web authentication settings, go toAuthentication > Web authentication. Youcan specify AD SSO (Kerberos and NTLM)or captive portal authentication.

To turn on access to AD SSO and captiveportal from the required zones, go toAdministration > Device access.

Users or groups Select the users and groups. The rule willthen apply only to traffic originating from thespecified users and groups.

Exclude this user activity from dataaccounting Select to exclude the specified users’ traffic

from data accounting.

By default, XG Firewall adds traffic thatmatches the rule criteria to individual users’data transfer.

Use this if you don’t want to set a data usagelimit on the specified users.

7. Select Add exclusion to add exclusions to the rule. XG Firewall won’t match the specifiedcriteria for the following objects:

• Source zones



• Source networks and devices

• Destination zones

• Destination networks

• Services

8. Select Create linked NAT rule if you want to enforce address translation for this rule’s sourcenetworks and devices.

Linked NAT rules are source NAT rules and are listed in the NAT rule table. You can identifythem by the firewall rule ID and name.

You can change only the translated source and the outbound interface-specific sourcetranslation in a linked NAT rule. For the rest, it applies the matching criteria of the firewall rulethat it’s linked to, including users and groups.

CAUTIONLinked NAT rules apply only to the traffic defined by the firewall rule to which theyare linked. However, if the criteria of a NAT rule placed above the linked NATrule matches the traffic, the former rule is applied. XG Firewall doesn’t evaluatesubsequent rules once it finds a match.

9. Select Web filtering to specify the settings.

Select the web policy, malware and content scanning, and the filtering settings.

Malware and content scanning: The settings specified in Web > General settings apply.

Filtering: Select the settings to filter web traffic over common web ports. If you want to selectweb proxy filtering, you must first select a web policy or malware and content scanning forHTTP and decrypted HTTPS.

If you set up web proxy filtering on bridge interfaces without an IP address, the traffic isdropped.

Name Description

Web policy Select a web policy or create one.

Apply web category-based traffic shaping Select to apply the bandwidth settingsspecified for the web categories within thepolicy.

Block QUIC protocol Blocks QUIC protocol by dropping outboundUDP packets to ports 80 and 443 for trafficthat matches the rule's criteria. It's selectedby default when you select a web policy orturn on scanning for HTTP and decryptedHTTPS.

Chrome uses the protocol by default toestablish sessions with Google services.QUIC traffic can't be scanned and bypassesweb filtering.



Name Description

Scan HTTP and decrypted HTTPS Select to scan web traffic for malware.

This option doesn't turn on HTTPSdecryption. To ensure HTTPS traffic isdecrypted for scanning, use SSL/TLSinspection rules in DPI mode or selectDecrypt HTTPS during web proxyfiltering.

Detect zero-day threats with Sandstorm If you selected scanning for HTTP anddecrypted HTTPS, select to send filesdownloaded over HTTP or HTTPS forSandstorm analysis. Sandstorm protectsyour network from zero-day (unknown andunpublished) threats.

Scan FTP for malware Select to scan FTP traffic for malware.

Use web proxy instead of DPI engine Select to use the web proxy to filter trafficonly on ports 80 (HTTP) and 443 (HTTPS).The DPI engine continues to filter HTTP andSSL/TLS traffic on other ports.

You require proxy mode to enforceSafeSearch and YouTube restrictions, torestrict sign-ins to Google Apps (example:Gmail, Drive) to certain domain accounts, toturn on pharming protection and web contentcaching, and to connect to a parent proxy.

To use the DPI engine for web filtering,clear the check box. The DPI engine filtersHTTP and SSL/TLS traffic on all ports.With this setting, XG Firewall uses directmode. It applies SSL/TLS inspection rulesto intercept, decrypt, and inspect encryptedtraffic based on the rule-matching criteriaand decryption profiles.

To make sure that SSL/TLS inspectionrules are turned on and to create SSL/TLSinspection rules, go to Rules and policies >SSL/TLS inspection rules.

Decrypt HTTPS during web proxy filtering Turning on this option also decrypts HTTPStraffic in direct proxy mode.

TipYou can create a firewall rule with web proxy filtering for pre-configured FQDNhost groups to enforce Safe Search, YouTube restrictions, and to restrict sign-insto G Suite applications. To create this firewall rule, see the learning content linkedto this page.



NoteYou can use direct proxy mode even if you don't select Use web proxy insteadof DPI engine. To use direct proxy mode, clients must be configured to use XGFirewall in their proxy settings. For information about using XG Firewall as a directweb proxy, go to Web proxy configuration in Web > General settings.

NoteXG Firewall skips decryption, malware and content scanning, Sandstorm analysis,and policy checks for the corresponding exceptions you specify in Web >Exceptions. Exceptions apply both to DPI and proxy modes.

10. Select Configure Synchronized Security Heartbeat to specify the Heartbeat settings.Specifying these controls allows you to protect endpoint devices and servers in your networkthrough XG Firewall.

Endpoint devices and services configured with Synchronized Security send a heartbeat, whichis information about their health status to XG Firewall at pre-defined intervals.

Name Description

Minimum source HB permitted Select the minimum health status that adevice from which traffic originates mustmaintain. If a device doesn’t send theminimum heartbeat, its user won’t receivethe access defined in this rule.

Green: Only endpoints sending this healthstatus have access.

Yellow: Only endpoints sending a green oryellow health status have access.

No restriction: All endpoints have access,including those that aren’t sending aheartbeat or are sending a red status.

Block clients with no heartbeat Select to block the devices that don’t send aheartbeat.



Name Description

Minimum destination HB permitted Select the minimum health status that adevice, receiving traffic must maintain. If adevice doesn’t send the minimum heartbeat,its user won’t receive the access defined inthis rule.

Green: Only endpoints sending this healthstatus have access.

Yellow: Only endpoints sending a green oryellow health status have access.

No restriction: All endpoints have access,including those that aren’t sending aheartbeat or are sending a red status.

You can apply destination heartbeat controlto devices in the internal network, not in theWAN zone.

Block request to destination with noheartbeat Select to block the devices that don’t send a

heartbeat.

11. Select the settings for the other security features. You can select or create new applicationcontrol, IPS, and traffic shaping policies.

Name Description

Identify and control applications (Appcontrol) Select an application filter policy.

Apply application-based traffic shapingpolicy Select to apply the bandwidth settings

specified for the applications within theapplication category.

Detect and prevent exploits (IPS) Select an IPS policy.

Shape traffic Select a traffic shaping policy to apply abandwidth guarantee or limit.

If you’ve selected Match known users, thespecified users’ traffic shaping policy isapplied. In the absence of a user policy, thegroup policy is applied.



Name Description

DSCP marking Select the level of DSCP marking to markpackets for priority. For details, see DSCPValue.

Expedited forwarding (EF): Priority queuingthat ensures low delay and packet loss.Suitable for real-time services.

Assured forwarding (AF): Assured delivery,but with packet drop if congestion occurs.Assigns higher priority than best-effort.

Class selector (CS): Backward compatibilitywith network devices that use IP precedencein type of service.

12. To scan email content, select the protocols IMAP, IMAPS, POP3, POP3S, SMTP, and SMTPS.

If you select a protocol here and haven’t added its standard ports to Services in this rule, selectAdd ports. The standard ports for the selected protocols are added to services.

13. Select Save.

3.6 Wild card domains in WAF rulesYou can now add wildcard domains in WAF (Web Application Firewall) rules. You can add wildcardsubdomains (example: *.example.com) for both HTTP and HTTPS connections.

1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 and select Add firewall rule.

2. For Action, select Protect with web server protection.

3. To create a WAF rule, set Preconfigured template to None.

4. Under Hosted server, for Domains, enter the following.



Option Description

Domains Enter the FQDN configured for the webserver, for example, shop.example.com.

If you've turned on HTTPS, domain namesof the selected HTTPS certificate show in thelist. You can edit or delete these or add newdomain names.

You can use the wildcard *. at the start of adomain name only.

Example: *.company.com

A single WAF policy supports multiplewildcard domains. Virtual web servers withwildcard domains are only matched whenthere are no virtual web servers with specificdomains configured.

Example: A client request to the domain,test.company.com, will match withtest.company.com before it matches with*.company.com before matching with *.com.

3.7 SD-WAN policy-based routingPolicy-based routing gains added SD-WAN flexibility and more granular control with the addition ofapplication, user and group-based traffic selection criteria. Routing can be defined through eitherthe primary or a backup gateway WAN connection and can be configured for replay direction.

3.7.1 What's new in SD-WAN policy routingA comparison of features and behavior of the routing settings in 17.5 and earlier with SD-WANpolicy routing in 18.0.

Introduction

You can create SD-WAN policy routes for the following:

• Application-based routes

• User and group-based routes

• System-generated traffic

• Reply packets



3.7.1.1 Routing (17.5) vs SD-WAN policy routing (18.0)

Routing functionality 17.5 and earlier 18.0

Rules and policies that arerequired

Firewall rules with routing andNAT settings.

• Firewall rules withoutrouting and NAT settings

• NAT rules

• SD-WAN policy routing

Primary and backupgateways

Yes Yes

When the gateways godown

WAN link load balancing isapplied.

Based on the Overridegateway monitoringdecision:

Selected: Traffic drops.

Not selected: WAN link loadbalancing is applied. Loadbalances traffic among theactiveWAN links. Routingremains persistent.

When primary gateway isdeleted



Routing of internal traffic The routing settings of thefirewall rule with source anddestination zones set tointernal zones is applied.

Routing is applied to all thezones in a network, includinginternal zones based on thedestination networks.

If you create policy routes withDestination networks set toAny, XG Firewall also routesinternal traffic to the WANinterface.

For details, go toTroubleshooting.



3.7.1.2 How migrated SD-WAN policy routes work

Functionality Migrated SD-WAN policy routes

Firewall rules Migrated as independent rules and policies:

• Firewall rules without routing settings.

• Migrated NAT rules.

• Migrated SD-WAN policy routes with theassociated firewall rule ID and name.

XG Firewall uses the firewall rule ID to matchtraffic with migrated routes.

Firewall rules with the following settings:

• Destination zones: LAN

• No gateway

Migrated SD-WAN policy routes aren't created.

Firewall rules with the following settings:

• Destination zones: WAN

• WAN link load balance

Migrated SD-WAN policy routes aren't created.WAN link load balancing is applied.

Zones in firewall rules Individual migrated SD-WAN policy routes arecreated when multiple firewall rules differ onlyin the source and destination zone criteria.

Sequence of migrated SD-WAN policy routes Can’t change the sequence becausethese routes correspond to the firewall rulesequence.

Settings you can change in migrated SD-WANpolicy routes

Only routing parameters:

• Primary gateway

• Backup gateway

• Override gateway monitoring decision

Migrated firewall rule is deleted The associated migrated SD-WAN policy routeis deleted.



Functionality Migrated SD-WAN policy routes

Routing precedence The routing precedence specified in the earlierversion is migrated.

You may want to set it to the defaultprecedence for 18.0: Static route, SD-WANpolicy route, VPN route.

3.7.1.3 New functionality in SD-WAN policy routing

Functionality 18.0

Application-based routing Requires an active Web Protection License.

WAN link load balance: The first connectionfrom an application is routed using WAN linkload balance, the default route. The specifiedapplication-based route applies to subsequentconnections after XG Firewall learns thesession details.

High availability: The cached application-based routing details are synchronized overthe dedicated HA link using the mulitcast IPaddress 226.1.1.1 on port 4455.

Micro apps: Web proxy mode doesn't supportapplication-based routing for micro apps.It supports only pattern applications andSynchronized Security applications. The DPIengine supports application-based routing forall applications, including micro apps.

To see how to configure application-basedrouting, go to How to configure SD-WAN policyroutes.

Users and groups Can create SD-WAN policy routes based onusers and groups.

System-generated traffic • Can create SD-WAN policy routes.

• Can specify the gateways.

• Requires a WAN interface.

SD-WAN policy routing is turned off by default.To turn it on, go to the command-line console.



Functionality 18.0

Reply packets • Can create SD-WAN policy routes.

• Can select a specific gateway. Replypackets can use a different routecompared to the original route based onthe specified gateway. You can specifyprimary and backup gateways.

SD-WAN policy routing is turned off by default.To turn it on, go to the command-line console.

3.7.2 SD-WAN policy routingSD-WAN policy routing allows you to implement routing decisions based on the policies that youspecify. It enables you to override routing based on destination IP addresses and routing tables.

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface,source and destination networks, services, application objects, users, and user groups. You canspecify the primary and backup gateways to route the traffic through.

These policy routes allow you to specify gateway failover and failback, using a combination ofconnections, for example, MPLS, VPN, broadband. You can also route critical applications andbandwidth-sensitive traffic, such as VoIP through high-speed ISP links.

You can create IPv4 and IPv6 SD-WAN policy routes.

Application-based routingApplication objects store the application's session details (protocol, destination port, and destinationIP address) during the first session. XG Firewall uses the session details to match traffic with anSD-WAN routing policy for future sessions. When session details have been removed or haven't yetbeen stored, XG Firewall doesn't apply policy-based routing.

The time to live (TTL) of application session details is 3600 seconds from the start of the session. Ifanother session doesn't start within this period, the session details are purged.

When you restart XG Firewall, the session details of all application objects are purged.

System-generated traffic and reply packetsYou can create policy routes for system-generated traffic and reply packets. On the command-lineinterface, make sure you turn on routing for each of them independently.

You can configure asymmetric routing for reply packets, specifying an interface other than theinterface used by the original traffic.

For system-generated traffic, select only the destination networks and services because the sourceinterface and network remain unknown. For example, services used by XG Firewall flow throughdifferent interfaces, depending on the type of service.

To see the routing status and turn routing on or off for system-generated traffic and reply packets,use the following CLI commands.



Routingoption

CLI command

console> show routing sd-wan-policy-route system-generate-traffic

Show routingstatus

console> show routing sd-wan-policy-route reply-packet

console> set routing sd-wan-policy-route system-generate-traffic enable

Turn on routing

console> set routing sd-wan-policy-route reply-packetenable

console> set routing sd-wan-policy-route system-generate-traffic disable

Turn off routing

console> set routing sd-wan-policy-route reply-packetenable

Route precedenceRouting follows the precedence you specify on the command-line interface. The default routingprecedence is static routes, SD-WAN policy routes, then VPN routes. The protocol, network, androute details are shown in the table below.

Routes Routing precedence

Static routes include the following:

• Directly connected networks

• Dynamic routing protocols

• Unicast routes

SD-WAN policy routes

VPN routes (only policy-based IPsec VPNs)

Set the routing precedence on the command-line interface.

Example: console> systemroute_precedence set staticsdwan_policyroute vpn

Default route (WAN link manager) Fallback route if traffic doesn't match anyconfigured route.



Routing settings: Internet and internal trafficTo create an SD-WAN policy route for internet traffic, you can set Destination networks to a WANhost or to Any.

If traffic doesn’t match any SD-WAN policy route, XG Firewall applies the settings specified in theWAN link manager.

CAUTIONIf your route precedence specifies SD-WAN policy routes before static routes and youset Destination networks to Any, XG Firewall applies the policy route to all (externaland internal) traffic, forcing your internal sources to use the WAN gateway for internaldestinations.

This is likely to occur if you migrated from an earlier version to 18.0 or if you changedthe default route precedence. To see the route precedence, go to the command-lineinterface and use the following command:

console> system route_precedence show

If you want the internal traffic (for example, internal hosts accessing internal devices and servers)to reach the internal network directly, set the routing precedence with static routing before SD-WANpolicy routing on the command-line interface.

Example: console> system route_precedence set static sdwan_policyroute vpn

Now, XG Firewall applies the static routes before it applies the SD-WAN policy-based routes.Internal traffic is forwarded directly to the internal destination.

TipYou can see the routing precedence on the command-line interface or on the SD-WAN policy routing page on the web admin console.

Policy route actions and gateway status• To change the sequence of an SD-WAN policy route, drag and drop the route. XG Firewall

evaluates policy routes from top to bottom until it finds a match. Once it finds a match, it doesn’tevaluate subsequent routes.

• To turn on or turn off a route, use the Status switch.

• To edit a route, click Edit .

Gateway status:

Primary or backup gateway is up and the policy route is live.

Gateway is down and the policy route isn’t live. Override gateway monitoring is off.

Gateway is down and override gateway monitoring is on.

Hover over the status icon to view the statuses of the primary and backup gateways and theoverride gateway monitoring setting.



Migrated IPv4 and IPv6 policy routesIn SFOS 18.0 and later versions, you need to specify routing policies in SD-WAN policy routing.Firewall rules no longer include routing settings. When you migrate from an earlier version, XGFirewall migrates the routing settings in firewall rules as Migrated SD-WAN policy routes. You cansee them in the SD-WAN policy routing table. You can identify these migrated policy routes by thefirewall rule ID and name.

To turn routing on or off for system-generated traffic and reply packets, go to the command-lineinterface.

Route precedence

During migration, XG Firewall retains the routing precedence you specified in the previous version.The default routing precedence in versions earlier than 18.0 is SD-WAN policy routes, VPN routes,then static routes.

CAUTIONBecause routing is not linked to firewall rules in 18.0, migrated policy routes withDestination networks set to a WAN host or Any also apply to internal traffic, routingthis traffic through the WAN gateway.

To allow internal traffic to reach internal destinations directly, go to the command-lineinterface and set the routing precedence with static routing before SD-WAN policyrouting.

TipTo take advantage of the SD-WAN policy route benefits, such as creating routingpolicies based on application objects, users, and groups, we recommend creating SD-WAN policy routes to replace the migrated routes.

The following rules apply to migrated routes:

• XG Firewall automatically prefixes the firewall rule ID to the policy route name.

• XG Firewall uses the firewall rule ID to match traffic with migrated routes.

• Zones are not part of SD-WAN policy route settings. When more than one firewall rule specifiesthe same source and destination networks, but different zones, individual policy routes thatcorrespond to the firewall rules are created.

• You can't change the sequence of migrated policy routes, since they correspond to the firewallrule sequence.

• If you delete the firewall rule, the migrated policy route is deleted.

• You can edit only the gateways and the gateway monitoring decision.

TipMake sure you take a backup of the current configuration before you start deleting themigrated policy routes.



3.7.3 Add an SD-WAN policy routeYou can route traffic based on SD-WAN policy routing criteria, such as the incoming interface,source and destination networks, services, application objects, users, and user groups.

You can specify the primary and backup gateways to route the traffic through.

1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy routeand select Add.

2. Type a name.

3. Select the traffic selector settings.

Name Description

Incoming interface Select the interface through which trafficspecified in this route enters XG Firewall.

Deleting the interface also deletes the policyroute.

DSCP marking Select the level of DSCP marking to matchincoming packets for priority. For details, seeDSCP Value.

Expedited forwarding (EF): Priority queuingthat ensures low delay and packet loss.Suitable for real-time services.

Assured forwarding (AF): Assured delivery,but with packet drop if congestion occurs.Assigns higher priority than best-effort.

Class selector (CS): Backward compatibilitywith network devices that use IP precedencein type of service.

Source networks and Destinationnetworks

Select from the list or create new ones.

You can add an IP address, range or list, anetwork, an FQDN or FQDN group, or otheraddress objects.

Services Select a service or create a new one tospecify the type of traffic to route. Servicesare a combination of ports and protocols.For example, you can specify services forHTTP protocol with TCP port 80 and HTTPSprotocol with TCP port 443.



Name Description

Application object Specify the application objects.

Use this to route certain application objectsthrough the specified gateways. Forexample, you can route VoIP applicationsthrough a specific gateway.

XG Firewall uses the details of the firstsession to match traffic with an SD-WANrouting policy for future sessions. The timeto live (TTL) of application session details is3600 seconds from the start of the session.If another session doesn't start within thisperiod, the session details are purged. Fordetails, see SD-WAN policy routing.

Users or groups Specify the users and user groups.

4. Specify the routing settings.

Name Description

Primary gateway Select the primary gateway to route traffic.

If you delete the selected gateway, XGFirewall will delete the policy route andimplement WAN link load balance to routetraffic.

If the primary gateway goes down, XGFirewall routes traffic through the backupgateway. When the primary gateway comesback up, traffic is routed through it.

Backup gateway If you've configured more than one gateway,select the backup gateway.

If you delete the selected gateway, thebackup gateway will be set to None.

Override gateway monitoring decision Select if you want to route traffic throughthe selected gateway even if the gateway isdown.

5. Select Save.

3.7.4 Migrated SD-WAN policy routesThese route settings are migrated from versions earlier than SFOS 18.0, in which firewall rulescontained route settings.



You can change the route name, primary and backup gateways, and the gateway monitoringdecision.

1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 Migrated SD-WANpolicy route and click Add.

2. Type a name.

3. The firewall rule ID and name identify the rule that the route migrated from. Select the tooltip tosee the rule’s source, destination, service, and action settings.

4. The gateway specified in the firewall rule becomes the Primary gateway.

If you delete the selected gateway, XG Firewall will delete the policy route and implement WANlink load balance to route traffic.

If the primary gateway goes down, XG Firewall routes traffic through the backup gateway.When the primary gateway comes back up, traffic is routed through it.

5. If a Backup gateway was specified in the firewall rule, it is used here.

If you delete the selected gateway, the backup gateway will be set to None.

6. Override gateway monitoring decision is selected during migration to replicate the behaviorof the routes in the original firewall rules.

7. Select Save.

3.7.5 TroubleshootingSome SD-WAN policy route problems and solutions are below:

Traffic between networks connected to internal ports is beingrouted to the WAN interfaceIf traffic between directly connected networks, such as networks or subnets connected to the LAN orDMZ ports flows through the WAN interface instead of passing directly to the internal network, do asfollows:

• Check if an SD-WAN policy route has Destination networks set to Any.

Change the setting from Any to a specific choice (example: WAN) from the list. Setting it toAny forces XG Firewall to forward internal traffic also to the WAN interface.

• If you want to retain the above generic policy route, create an SD-WAN policy route with aspecific choice for the destination network. Place this route above the Any policy route. Policyroutes are enforced from the top down.

• Alternatively, go to Routing > SD-WAN policy routing and view the route precedence in thebox below the menu.

Static routes include directly connected networks. To allow XG Firewall to forward internalnetwork traffic directly, the route precedence should be static route before the SD-WAN policyroute. Change the route precedence from the command-line console:

Example: console> system route_precedence set static sdwan_policyroute vpn



Lost access to XG Firewall after creating an SD-WAN policyrouteIf you lost access to the web admin and SSH consoles of XG Firewall, check if all the followingscenarios occurred. To regain access, you need to change any one of the settings.

• Route precedence set to SD-WAN policy route before static route.

To view the route precedence, go to Routing > SD-WAN policy routing and see the boxbelow the menu. The route precedence should be static route before the SD-WAN policy route.You can change the route precedence from the command-line console:

Example: console> system route_precedence set static sdwan_policyroutevpn

• Destination networks set to Any in the newly created SD-WAN policy route for a specificinternal subnet. You can change the setting to a specific choice.

• SD-WAN policy routing turned on for system-generated traffic.

Go to the command-line console and use this command: show routing sd-wan-policy-route system-generate-traffic

You can turn off SD-WAN policy routing for system-generated traffic.

• SD-WAN policy routing turned on for reply packets.

Go to the command-line console and use this command: show routing sd-wan-policy-route reply-packet

You can turn off SD-WAN policy routing for reply packets.

If all these scenarios occur, XG Firewall enforces the generic SD-WAN policy route before staticroutes and implements it on system-generated traffic and reply packets too. Access to the webadmin and SSH consoles is lost from the internal subnet specified in the policy route. However,access is available from other subnets.

An SD-WAN policy route doesn’t show in the policy route tableIf a migrated SD-WAN policy route or a route you created doesn't show any longer, do as follows:

• Check if you deleted the primary gateway specified in the route. Deleting an SD-WAN policyroute's primary gateway deletes the route.

• If it's a migrated route, check if you deleted the associated firewall rule.

Routing settings in firewall rules are migrated from 17.5 or earlier to 18.0 as migrated SD-WANpolicy routes. These are associated with the original firewall rule. If you delete the firewall rule,the associated route is deleted.

3.8 Enhanced High AvailabilityYou can now update more high availability settings without breaking HA and can also use the newQuickHA configuration mode.

The following settings can now be updated without breaking HA:

• Cluster ID.



• Monitoring ports.

• Peer administration port.

• Using the hypervisor-assigned MAC address.

• Fail back to the primary device.

• Keepalive timer.

• Keepalive attempts.

You can now use the QuickHA configuration mode to setup HA quickly and easily.

3.8.1 QuickHAQuickHA provides a way to quickly setup an HA cluster with the minimum configuration steps.

QuickHA lets you set up XG Firewall as a high availability (HA) system easily and quickly.

You can use QuickHA to set up HA systems using both hardware and software appliances. It usespre-designated HA ports to minimize your input.

You can configure your XG Firewall devices in any order.

NoteYou can't enable HA if you turned on STP on a bridge interface.

To use QuickHA, do the following.

1. Connect the XG Firewall devices using a network cable plugged into the dedicated HA port onboth units.

2. Sign in to the web admin console of the primary XG Firewall and go to System services >High availability.

3. Select the Initial device role.

4. Ensure QuickHA is selected. You’ll see default settings (which you can change), as describedin the steps that follow.

5. QuickHA generates a Passphrase automatically. You can also change the passphrasemanually.

NoteThe passphrase is used only once to generate the SSH keys used to encryptcommunication over the HA link. It's then deleted.

6. Quick HA selects a Dedicated HA link automatically. You can also select an interfacemanually.



NoteBy default, QuickHA selects the first unbound interface. If this is not available, ituses the first DMZ port. This interface will be renamed QuickHA Mode interfaceand assigned an IPv4 address from the link local range, 169.254.0.0/16.

CAUTIONIf Quick HA selects a DMZ port that’s already in use, its current configuration willbe overwritten.

7. Click Initiate HA.

8. Sign in to the web admin console of the auxiliary XG Firewall and go to System services >High availability.

9. Select Auxiliary as the device role.

10. Select QuickHA and enter the same Passphrase used on the primary XG Firewall.

11. Click Initiate HA. You see a message about the configuration being overwritten. This isbecause the configuration will be synchronized from the primary XG Firewall.

The following status messages are displayed during the QuickHA setup process:

Message Description

Device Discovery Started. Dedicated HA linkconfigured.

QuickHA confirms that a dedicated link has beenconfigured.

One time Password set for dedicatedInterface. Device Discovery In-Progress.

QuickHA is trying to connect the primary andauxiliary devices.

Peer detected. Initial SSH Handshake In-Progress.

The auxiliary device has been detected and theinitial connection is being established.

Peer detected. Initial SynchronizationStarted.

Configuration sync is in progress.

Established HA has been established.

Not established HA has not been established. Please check allsettings and connections.

3.9 Alerts and NotificationsThere is a new option to choose from dozens of system and threat-related alerts and havenotifications sent via email or SNMP.



1. Go to System services > Notification list.

2. Turn on Email notifications to send notifications to the administrator.

3. Turn on SNMP traps to send traps to the SNMP manager.

4. Select the events from the list.

5. Select Save.

3.10 Intelligent IPS signature selectionXG Firewall receives IPS signatures based on a number of intelligent filtering criteria, such as age,vendor, vulnerability type, and CVSS (Common Vulnerability Scoring System) to optimize protectionand performance.

3.11 DKIM and BATV anti-spam protectionAnti-spam protection is improved with support for DomainKeys Identified Mail (DKIM). It detectsforged sender addresses and Bounce Address Tag Validation (BATV) to determine whether thebounce address specified in the received email is valid and reject backscatter spam.

3.11.1 DKIM verification and signing

With DKIM, you can validate the source domain name and message integrity through cryptographicauthentication, preventing email spoofing. You can apply DKIM verification to inbound emails andDKIM signatures to outbound emails.

DKIM verificationTurn on verification. XG Firewall looks up the public key in the sending domain’s TXT recordto verify the DKIM signature.

If you’ve turned off DKIM verification, specifying SPX encryption, adding a subject prefix,blocking file types, or appending a banner to outbound emails during mail relay modifiesthe email header or body. The modification breaks the DKIM hash, which will result in DKIMverification failure at the recipient MTA.

Settings Description

DKIMverificationfailed

Body hash mismatch with signature, indicating email body modification intransit. Alternatively, couldn’t verify signature, indicating forged signature orheader modification.

InvalidDKIMsignature

Couldn’t find the sending domain’s public key in the TXT record or foundinvalid public key syntax.



Settings Description

No DKIMsignaturefound

Email doesn’t have a DKIM signature for this domain.

NoteXG Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have keylength less than 1024 or in excess of 2048 bits.

Select the action for the verification outcome:

Accept: Forwards to recipient

Quarantine: Quarantines emails

Reject: Discards emails

DKIM signingXG Firewall adds a digital signature to the headers of outbound emails, using the domainname, selector, and the private RSA key that you specify. Destination servers use the publickey in the domain’s TXT records to verify the signature, ascertaining domain authorizationand that the email has not been modified in transit.

• To add a DKIM signature, select Add.

3.11.2 Add a DKIM signatureYou can add DKIM signatures to the headers of outbound emails by specifying the domain, aselector, and a private RSA key.

A domain can have more than one signature.

1. Go to Email > General settings. Scroll down to DKIM signing and click Add.

2. For Domain, enter the FQDN of the domain.

3. Enter the Key selector.

TipYou can use the location or name of a specific mail server to identify outboundmails from the server, for example, london, or mailserver1.

4. Enter the Private RSA key.

NoteYou can generate the key, using a key generator, for example, PuttyGen orWindows OpenSSL. A private key can have 1024 to 2048 bits. Don’t use RSASHA-1.

5. Select Save.



Update the TXT record for the DKIM signature on the DNS server. Once the DNS changespropagate, the DKIM signature will take effect.

3.11.3 BATVXG Firewall matches the recipient address in bounced emails with the BATV signature, rejectingemails with an invalid return address or expired signature. This protects recipients from bouncedemails with forged return addresses.

1. Go to Email > General settings. Scroll down to Advanced SMTP settings and specify aBATV secret.

If you have more than one MX record for your domains, you can specify the same BATV secret(Bounce Address Tag Validation) for all the systems.

XG Firewall generates the BATV signature, using this secret, the time stamp, and the sender'semail address. It replaces the envelope sender address with the signature in outbound emails,which enables it to identify bounced emails with forged return addresses.

Signature format: prvs=<tagvalue>=<sender's email address>

Once you enter the secret, you can apply BATV check in SMTP route and scan policies.

2. Go to Email > Policies and exceptions > Add SMTP route and scan and select Rejectbased on BATV.

BATV signatures expire in seven days.

3. To create an exception from BATV check, go to Email > Policies and exceptions > Addexception.

To allow a sender to receive bounced emails without BATV check, enter the sender's emailaddress in Sender addresses and Recipient addresses.

3.11.4 Quarantine settingsYou can specify the quarantine area on XG Firewall. You can also specify the IP address orhostname to use in the quarantine release links that are sent in the quarantine digest.

Quarantine settingsThe menu title Quarantine settings has been renamed Quarantine settings.

To set the release link settings in the quarantine digest or to specify the quarantine area in XGFirewall, go to Email > Quarantine settings.

Release link settingsSelect the IP address or hostname to use in the release links sent in the quarantine digestemail. Users can select the links to release individual emails. Alternatively, they can selectMy account in their digest to manage their quarantined emails.

Reference user portal IP: The IP address of the selected port is used in the release links.Users who belong to the port’s network can use these links.

Other users can access the user portal, using https://<IP address of XGFirewall> and manage their quarantined emails.



User interaction setting: The option selected in Administration > Admin settings >Admin console and end-user interaction is used in the release links.

You can select the firewall hostname, IP address of the first internal interface that youspecify, or a custom hostname.

Example:IP address of the port or first internal interface: 10.8.9.54

Release link: https://10.8.9.54:4444/webconsole/Controller?mode=458

Firewall or custom hostname: myfirewall

Release link: https://myfirewall:4444/webconsole/Controller?mode=458

Quarantine areaDisk sizeSpecify the size of quarantine area in XG Firewall.

A disk usage check runs every five minutes and deletes older emails, lowering usage from90 per cent and above to 60 per cent of the specified size.

3.12 Kerberos authentication and NTLMThis release adds Kerberos authentication alongside the existing NTLM support for Microsoft ActiveDirectory SSO, extending the range of authentication tools available for customers.

You can choose to use Kerberos and NTLM for authentication, which is the default, or NTLM only.

Option Description

NTLM only Includes only NTLM in authentication headers. Use this option if you have legacyclients that can’t handle Kerberos headers.

Kerberos& NTLM

Default

Includes both NTLM and Kerberos in authentication headers. Browsers choosewhich mechanism to use.

To turn on Kerberos, go to Authentication > Web authentication.

3.13 RADIUS time-out with two-factorauthentication (2FA)For customers using two-factor authentication (2FA) with RADIUS server authentication, the timeoutvalue is now configurable allowing additional time to finish the authentication flow when necessary.

You can use the two-factor authentication (one-time password) for administrator access, user portal,IPsec and SSL VPN.



3.14 Bridge-VLAN supportVLANs are now supported on bridge interfaces, enabling greater networking flexibility and supportfor advanced inter-VLAN routing and bridging deployments.

3.14.1 Bridge interfacesBridges enable you to configure transparent subnet gateways.

Bridges enable you to configure transparent subnet gateways. You can create bridge interfaces withor without an IP address assigned to them.

XG Firewall drops traffic related to bridge interfaces without an IP address if the traffic matchesa firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren'tlogged. To prevent NAT rules from causing the traffic to drop, you need to specify the overridesource translation setting.

To turn on routing on a bridge interface, you must assign an IP address to it. You can't turn onVLAN filtering on routed traffic.

You can create bridge interfaces in the following setups:

• Bridge over physical interfaces, such as ports and RED devices.

• Bridge over virtual interfaces, such as VLANs and LAGs. The VLAN can be on a physical orvirtual interface. It can also be on physical interfaces that are bridge members.

You can turn on STP (Spanning Tree Protocol) to prevent bridge loops, which occur due toredundant paths. You can filter VLAN traffic passing through a bridge interface based on the VLANIDs. Additionally, you can filter Ethernet frames based on the EtherTypes.

3.14.2 Add a bridge interface1. Go to Network > Interfaces, click Add interface, and then click Add bridge.

2. Enter a name. You can change this name later.

Maximum number of characters: 58

The subsystems will show the customizable Name and not the Hardware name of theinterface.

3. Enter a hardware name for the interface. You can't change this name later.

Maximum number of characters: 10

Allowed characters: (A-Za-z0-9_)

4. Specify the settings.

Option Description

Enable routing on this bridge pair Turn on routing on this bridge.

If you've turned it on, you must assign an IPaddress to the bridge interface.



Option Description

Interface Interfaces on which you can set up a bridge:

• A physical interface, for example, Port1,PortA, or eth0.

• RED

• LAG

• VLAN interface on a physical interface,RED, or LAG

A bridge can have a maximum of 64 memberinterfaces.

Zone Zone assigned to the interface.

Member interfaces Interface and Zone of bridge members. Youcan select physical and VLAN interfaces.

To add more interfaces, select the plusbutton .

XG Firewall drops traffic related to bridge interfaces without an IP address if the traffic matchesa firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren'tlogged. To prevent NAT rules from causing the traffic to drop, do the following:

a. Go to Rules and policies > NAT rules and select the SNAT rule to edit.

b. Select Override source translation for specific outbound interfaces.

c. Set Outbound interface to the bridge interface without IP address.

d. Set Translated source (SNAT) to Original and click Save.

5. Optional Specify the IPv4 or IPv6 configuration details. You must specify these settings if youselected routing on the bridge interface.

Option Description

IP assignment Method of assigning the IP address. Selectfrom the following options:

• Static

• DHCP

IPv4/Netmask or IPv6/Prefix For static IP assignment, enter the IPaddress and select the netmask or prefix.

Gateway name For bridge members with WAN ports, enterthe gateway name.

Gateway IP If you selected static IP assignment andbridge members with WAN ports, enter thegateway IP address.

6. Specify the VLAN settings to forward or drop VLAN traffic passing through the bridge interface.



Name Description

Filter VLANs Select to drop VLAN traffic passing throughthe bridge interface.

If you select filtering, but don't specify thepermitted VLANs, XG Firewall drops taggedtraffic from all the VLANs. Untagged trafficisn't dropped.

VLAN filtering applies only to bridged traffic.It won't apply to routed traffic.

Permitted VLAN ID or ID range Enter VLAN IDs or ranges (example: 20-35).

Use this to forward traffic from the specifiedVLANs to the other bridge members.

7. Optional Specify the advanced settings. Use this to control broadcasts and traffic forwardedby the bridge interface.

Option Description

Permit ARP broadcast By default, bridge interfaces forward ARP(Address Resolution Protocol) broadcasts todiscover the destination MAC addresses.

Clear the check box to prevent ARPbroadcasts. You can use this when there's abroadcast storm.

In the absence of ARP broadcasts, bridgeinterfaces can't create a bridge table withMAC addresses. To specify IP-MAC binding,go to Network and create static entries usingNeighbors (ARP–NDP).

Turn on Spanning Tree Protocol (STP) Turn on STP to prevent bridge loops, whichoccur when there's more than one pathbetween two bridge interfaces. Redundantpaths can result in a broadcast storm in thenetwork.

STP also enables failover to redundant pathsdynamically when the primary path fails.

You can't turn on STP on any bridgeinterface when HA is enabled.



Option Description

STP max age Interval at which bridges transmit theirconfiguration information. The default intervalis 20 seconds.

Bridges send bridge protocol data units(BPDU) to transmit information, such as theirinterface, MAC address, port priority to otherbridges at the STP max age interval. Thisenables them to update their tables with thenetwork topology. BPDUs help detect failedpaths in the network.

MAC aging Interval at which inactive MAC addresses areremoved from the bridge table. The defaultinterval is 300 seconds.

Bridges record the timestamp of when theylearn a MAC address. MAC addresseswith timestamps older than the interval areremoved.

In dynamic networks, such as guest Wi-Finetworks, you can use lower MAC agingintervals. In stable networks, such asnetworks with data centers, you can usehigher intervals.

MTU MTU (Maximum Transmission Unit) value,in bytes. It's the largest packet size that anetwork can transmit. Packets larger thanthe specified value are divided into smallerpackets before they are sent.

If the MTU of the bridge interface and itsmembers differs, the bridge interface inheritsthe lower value. To see the inherited MTU,go to the interface table.

Example:

Bridge MTU: 9000

MTU of the interface used in VLAN (bridgemember): 1500

Inherited bridge MTU becomes 1500.



Option Description

Override MSS Select to override the MSS value.

MTU is the sum of the TCP and IP headervalues and the payload value. Whenadditional packet encapsulation takes place,for example in IPsec tunnels, the packetsize can become larger than the definedMTU value, leading to dropped packets oradditional fragmentation.

Overriding the specified MSS value ensuresthat the packet size stays within the definedMTU value.

MSS MSS (Maximum Segment Size), in bytes. It'sthe amount of data that can be transmitted ina TCP packet.

Filter Ethernet frames The default setting allows all Ethernet framesto pass through the bridge.

Select to drop Ethernet frames from passingthrough the bridge. The drop setting doesn'taffect the frames of ARP, IPv4, IPv6, 8021Q,EXTE traffic, which are always allowed.

If you select filtering, but don't specify thepermitted Ethernet frame types, XG Firewalldrops traffic for all Ethernet frames exceptthe frames that are always allowed.

Forwarded Ethernet frame types Specify the EtherTypes whose Ethernetframes you want to forward throughthe bridge interface. Enter the four-digithexadecimal ID of the EtherType.

Example: AppleTalk (809B) Novell (8138),PPPoE (8863 and 8864)

To update the log viewer with dropped packet details, go to System services > Log settings.Under Firewall, select Bridge ACLs.

To see the logs, go to Log viewer and select Add filter. Set the field to Log component andValue to Bridge ACLs.

Additionally, you can set the field to Log subtype and value to ARP broadcasts, EtherTypefiltering, or VLAN filtering.

8. Select Save.

3.15 SNMPv3Support for SNMPv3 is added, providing more flexibility and security over SNMPv2.



SNMP (Simple Network Management Protocol) gives access to XG Firewall information, forexample, status of the firewall, service availability, CPU, memory, and disk usage. XG Firewall nowsupports SNMPv3 users in addition to SNMPv1 and SNMPv2c protocols, ensuring confidentiality,message integrity, and validity of the user.

SNMP agentOnce you configure XG Firewall as an SNMP agent, it sends traps (alerts) of system-generatedevents to the specified SNMPv3 users in addition to the SNMP managers within its community.

SNMPv1 and SNMPv2c community and trapsYou can configure SNMPv1 and SNMPv2c communities without a distinction between the twoprotocols. When you configure a community, you can select queries and traps without the need toselect the protocol.

SNMPv3 userYou can add an SNMPv3 user and the authorized hosts. You can specify encryption andauthentication settings to ensure confidentiality, message integrity, and validity of the user.

MIB and OIDsXG Firewall offers an updated MIB (Management Information Base), covering a wider range ofsystem-generated events. It supports the following OIDs (Object Identifiers):

• SNMPv2-MIB

• IF-MIB [Counter32 and Counter64 supported]

• SNMPv2-SMI

• IP-MIB

• IP-FORWARD-MIB

• TCP-MIB

• UDP-MIB

3.15.1 Add an SNMPv3 userYou can add an SNMPv3 user and the authorized hosts. You can specify encryption andauthentication settings to ensure confidentiality, message integrity, and validity of the user.

1. Go to Administration > SNMP. Scroll down to SNMPv3 users and traps and select Add.You can import or export an SNMP agent, community, or user configuration as a tar file fromBackup & firmware > Import export.

2. Enter the User name. It must match the username that you’ve specified in the authorized hostmachines. You can enter letters without space.

3. Select Accept queries to receive requests from the manager. XG Firewall responds to querieswhen the user credentials match. To respond, it doesn’t require details of the authorized hosts.

4. Select Send traps to allow XG Firewall to send traps (alerts) to the manager.



TipTo turn on SNMP traps, go to System services > Notification list.

5. For Authorized hosts, enter the IP addresses (IPv4 or IPv6) of the host machines.If an SNMP manager or authorized host is in the WAN zone, turn on SNMP for the WAN zone.Go to Administration > Device access.

6. Select the Encryption algorithm from the list and specify the password, using at least 12characters.

• AES

• DES

• None: No encryption

7. Select the Authentication algorithm from the list and specify the password, using at least 12characters.

• MD5

• SHA256

• SHA512

8. Select Save.

3.16 Route-based VPNYou can now create IPsec VPN connections that use tunnel interfaces as endpoints, making staticand dynamic routing possible.

Policy-based VPN doesn’t use the routing table. Instead it uses a policy similar to policy-basedrouting to decide whether IP traffic is sent through a VPN tunnel. Routing policies take precedenceover the routing table. Within a changing network environment, you have to constantly checkexisting policies and update the VPN connections.

With route-based VPN, the routing table defines whether to send specific traffic into the VPN tunnelor not. To use the routing table, you assign a virtual tunnel interface (VTI) to each endpoint device,in this case your XG Firewall devices. This makes setting up a tunnel similar to connecting twointerfaces. You can use tunnel interfaces like any other virtual network interface in configurations.This allows you to set up static and policy-based routes.

Each virtual tunnel interface is associated with a single tunnel and a single XG Firewall device withits encryption domain. The peer XG Firewall should also use a tunnel interface. All traffic destined tothe encryption domain of the peer device is routed through the associated tunnel interface.

Set up a route-based VPN by doing the following:

1. Add an IPsec connection for your XG Firewall with connection type Tunnel interface, using theWAN interface as the listening port.

2. Assign an IP address to the automatically created tunnel interface, called xfrm.

3. Repeat the first two steps for the peer XG Firewall.

4. Create a static, dynamic, or SD-WAN policy route using the virtual tunnel interface.



5. Add required firewall or NAT rules.

Route-based VPN tunnels don’t work together with policy-based VPN tunnels in most cases, so youshouldn’t mix them.

3.17 Web policy quotaBrowsing quotas have been added to web policies, allowing you to set time quotas for browsingselected website categories. Users can choose how and when to consume their daily time quota.

Policy quotaUsing time quota, you can allow access to restricted websites for a limited period. This applies to allthe restricted web categories in the policy with a quota action. Time quota applies to all the rules inthe web policy. Users can have individual quotas for each web policy.

When you make a change to the quota, the changes aren't applied if the web policy is invalid, theuser has no time quota left, or has an active quota session in the web policy.

Quota details:

• When the quota traffic matches an SSL/TLS inspection rule that has action set to Deny, thequota won't take effect and the website continues to be blocked. To prevent this, go to Web >Exceptions, and create an exception to skip HTTPS decryption for the matching criteria.

• To see the remaining quota and to reset it, go to Web > Policy quota status.

• To customize the quota notification page, go to Web > User notifications.

Policy overrides and Time quota: Instead of using their quota, users who're allowed to overrideweb policies can sign in to the user portal and grant themselves temporary access to websites thatwould normally be blocked by a web policy. When they use policy override, quota doesn't apply.

User action: When users try to access a page restricted by time quota, a quota block page appears.They can specify the quota they want to use and select Proceed. If they don't want to use theirquota, they need to select Return to previous page. The block page reappears at the end of theperiod. When users exceed their quota, a message appears that no time quota remains.

Specify policy quota1. Go to Web > Policies and click Add policy.

2. Click Add rule.

3. For the action to take when XG Firewall finds HTTP traffic that matches the selected criteria,select Quota HTTP.

4. For the action to take when the firewall encounters HTTPS traffic that matches the selectedcriteria, select Quota HTTPS.

Quota HTTP and Quota HTTPS allow users to select the duration in which to access a websitethat matches the selected criteria or to stop accessing it. Users can select up to the time quotayou set for the web policy.

5. Scroll down to Policy quota status and select the Allowed time quota.

Example:



Create a web policy with a rule for the categories Online shopping and Unproductive browsing withAction set to Quota HTTP and Quota HTTPS. You then set the Allowed time quota to two hours.The users specified in the rule can access websites in these categories for two hours in a 24-hourperiod.

However, if you want to set individual time quotas for the two categories, you need to create twoweb policies.

NoteYou can't set the quota to zero. Time quotas are reset at midnight local time.

Quota doesn't apply to Activities set to a content filter or to dynamic categories.Example: Web content with ActiveX, applets, cookies.

Policy quota statusYou can see the time quota remaining for individual users in specific web policies within a 24-hourperiod.

The time quota applies to web categories with a quota action in a web policy.

1. To see the policy quota status, go to Web > Policy quota status.

2. To reset users' time quota, select the users and select Reset.


Enhancements Sophos XG Firewall

4. EnhancementsThis section describes the enhancements introduced in Sophos XG Firewall 18.0

4.1 Interface renamingInterfaces can be renamed making networking configuration easier and more intuitive.

Name: You can specify a name for the following network objects. You can change the name later.Maximum number of characters: 58

• Physical interface

• Bridge pair

• VLAN

• Link aggregation group

• Cellular WAN interface

• IP tunnel

• Wireless interface

Hardware: You can’t change the hardware name later.

• You can specify a hardware name for bridge pairs, link aggregation groups, IP tunnels, andwireless interfaces. Maximum number of characters: 10 Allowed characters: (A-Za-z0-9_)

• The hardware name of a physical interface is the port name, for example, Port1, PortA, or eth0.

• The hardware name of a cellular WAN interface appears automatically.

• XG Firewall creates the hardware name of a VLAN automatically, using a combination of theselected interface and VLAN ID.

4.2 Jumbo Frame SupportJumbo frames with more than 1500 byte payloads are now supported for added networkingflexibility in high bandwidth environments.

4.3 Enhanced DDNS supportProvides support for enhanced HTTPS-based DDNS by adding five more DDNS providers: No-IP,DNS-O-Static, Google DNS, Namecheap, and FreeDNS.


Sophos XG Firewall Enhancements

4.4 Improved Synchronized Application ControlverdictIf there is a pattern-based match conflict, Synchronized Application Control verdict is used. Thisgives more accurate application control.

4.5 DHCP relay enhancements for dynamicroutingSynchronizes dynamic routing updates (learned routes from OSPF) to DHCP relay, eliminating theneed for manual reconfiguration.

4.6 Secure Syslog and logs in the standardSyslog formatProvides the option to fetch logs in the standard syslog format using secure TLS.

Go to System services > Log settings and select Secure log transmission.

4.7 Dynamic GeoIP (IP to country mapping)databaseThe GeoIP database is now updated dynamically in real time from the Up2Date servers. Make sureyou always use the appropriate country-specific filters and policies.

4.8 VMware Tools upgrade and integration withVMware Site Recovery Manager (SRM)Supports virtual device integration of the latest VMware Tools version (v10.3.10) with reboot,shutdown, and clone-like functionalities. The release also supports integration with Site RecoveryManager (SRM), the disaster recovery and business continuity solution from VMware whichautomates the transfer of virtual machines to a local or remote recovery site.

4.9 Log viewer enhancementsThe log viewer gets several enhancements with one-click actions available right from the logs tonarrow search results, filter log entries, or create or modify policies on the fly.

New filter and search options, including the choice to disable signatures, block a source IP address,edit interfaces, and modify IPS, app control, or web filtering policies.


Enhancements Sophos XG Firewall

4.10 Live ConnectionsThe live connections pages for IPv4 and IPv6 provide a lot of new insights into concurrent traffic inyour network.

Go to Current activities > Live connections or Live connections IPv6.

Other applications: The category lists unrecognized applications along with the Rule ID of theapplied firewall rule. It also lists system-generated traffic between XG Firewall and any zone. TheRule ID is set to zero because firewall rules don't apply to this traffic.

Example: DNS queries and replies when XG Firewall is the DNS server, signature downloads, trafficaccessing the appliance consoles, DNAT traffic.

System-generated DNS traffic is listed in both these categories: DNS and Other applications. DNStraffic to which firewall rules apply is listed only in the DNS category. You can identify this traffic bythe firewall rule ID.

Example: Traffic between an internal source and external DNS servers.

4.11 Access points can be restarted from the webadmin consoleYou can now restart wireless access points from the web admin console.

To restart an access point, select an access point and click Restart.

4.12 Sophos Connect address rangeSophos Connect lease now supports more than 255 IP addresses in the address range.

XG Firewall now supports class B networks for IP addresses leased to the Sophos Connect client.You can change the last two octets.

For example, you can lease the IP address ranges 20.20.0.1 to 20.20.0.255 and 20.20.0.1 to20.20.20.255.

The maximum concurrent VPN connections are based on the hardware and software sizing guidesfor XG Firewall.


Sophos XG Firewall Known issues

5. Known issues

Issue Explanation Workaround

NC-56201: Any two RED interfaceshaving the same branch name value.The same branch name is allowed onmultiple RED interfaces in SFOS.

Migration fails andthe firewall goesinto factory resetstate. (Severe)

We'll fix this in a subsequent GAbuild. Please do NOT update to18.0 if you use the same branchname for multiple REDs in SFOS.

NC-54978: For HTTPS connectionsthat aren't decrypted, web reportsdon't show bytes sent or received.

Web reports showa hit to the site,but show zerobytes sent orreceived.

None


Fixed issues Sophos XG Firewall

6. Fixed issuesIssues resolved in build 354:

• NC-57910 [Base System (deprecated)] Unable to upgrade from 17.5 MR9 to 18.0 GA.

• NC-56732 [Firewall] Kernel panic after update to 18.0 GA due to SSLVPN.

• NC-57067 [IPsec] Sophos Connect lease doesn't support more than 255 IP addresses in theaddress range.

Issues resolved in build 339:

• NC-54339 [Config Migration Framework] 17.5 MR10 to 18.0 GA migration support

• NC-56550 [Policy Routing] SD-WAN policy routing screen smudge with blue strip

• NC-56201 [RED] Backup/Restore failure from 17.5 MR9 to 18.0 with specific RED configuration

• NC-56397 [Web] Certificate error received by the user

Issues resolved in build 321:

• NC-33664 [App Signature] Unable to block Psiphon

• NC-42675 [Authentication] access_server returns 'Login Failed' if two awarrenhttp threads callin at same time

• NC-44686 [Authentication] Import/export of AUTHCTA has missing and incorrect values

• NC-48116 [Authentication] Importing users via csv file with special character in password fails

• NC-50521 [Authentication] User group assignment issue with LDAP users

• NC-54642 [Authentication] Authentication not working due to high CPU utilization ofaccess_server

• NC-50136 [Backup-Restore] ISP failover for 2 PPPoE connections is not working for local LANsystems

• NC-51979 [Backup-Restore] Can't reflect time zone from restoring backup file after factoryresetting

• NC-32336 [Base System] gpg vulnerability (CVE-2018-12020)

• NC-42490 [Base System] Validation function for legacy objects does not get called

• NC-55640 [Bridge] Firewall rule id not matching if traffic is going into wifi interface

• NC-45935 [Certificates] Fingerprint not updated on Default CA regenerate event

• NC-49023 [Certificates] Webproxy signing with non default certificate when using HTTPSScanning

• NC-54562 [Certificates] CAs are missing after update from v18 EAP2 to EAP3

• NC-29869 [Clientless Access(HTTP/HTTPS)] "Internal Server Error" after adding many VPNbookmarks

• NC-48516 [Config Migration Framework] Configuration migration log on console is wrong incase of failed migration


Sophos XG Firewall Fixed issues

• NC-55270 [Config Migration Framework] Report migration failed

• NC-49648 [CSC] API Get BridgePair requests sometimes report incorrectly "No. of recordsZero."

• NC-52857 [CSC] One time scheduler doesn't work as expected in case of DST

• NC-51717 [DDNS, Email] DDNS uses wrong IP when interface is configured with PPPoE +Alias

• NC-38763 [DHCP] IP not leased to DHCP only interface when update from stateless

• NC-38795 [DHCP] IPv6 not removed from DB while disable DHCPv6 manage flags from RAserver

• NC-38930 [DHCP] Editing DHCPv6 interface with auto configuration does not get IP fromDHCPv6 server

• NC-39157 [DHCP] DHCPv6 client option "Accept other configuration from DHCP" is notworking

• NC-50214 [DHCP] DHCP server dead with specific configuration

• NC-51957 [Documentation] Showing fastpath load failed with command "console> systemfirewall-acceleration show"

• NC-48712 [Email] Antivirus service in stopped state, cannot recover it

• NC-51340 [Email] Mailscanner child process causing OOM events when editing blockedsenders list

• NC-51347 [Email] Error message "undefined" received when trying to add host

• NC-51883 [Email] API error 599 when performing GetRequest for various email modules

• NC-52212 [Email] Reject/Drop action not work correctly for oversized mails

• NC-53016 [Email] Email Blocked Senders cannot be updated

• NC-55138 [Email] SAVI AV update failed

• NC-22659 [Firewall] IPtable chains not created for firewall rule whose name containsblackslash '\\\\\'

• NC-30482 [Firewall] DNAT rules stop working after every reboot when migrating from UTM toSFOS

• NC-36616 [Firewall] Firewall group not available in APIhelpdoc

• NC-37775 [Firewall] Configuring over 20 time schedulers on the various firewall rules is causingCSC freeze

• NC-43017 [Firewall] Full config export does not include Security Policy group

• NC-43415 [Firewall] In the firewall rule, types of services are not translated

• NC-48803 [Firewall] Virtual Host update is calling on every FQDN IP update even its not usedin virtual host configuration

• NC-49101 [Firewall] Group description delete issue in firewall

• NC-49678 [Firewall] Default ICMP service not matching in policy test tool

• NC-50222 [Firewall] Firewall rule position display is incorrect on rule deletion



• NC-50549 [Firewall] Drop packet does not show all the information for firewall rule ID 0 dropcompare to v17.5

• NC-50712 [Firewall] NAT rules UI error

• NC-50949 [Firewall] Wrong ARP behavior in relation to DNAT rules

• NC-51867 [Firewall] Denied firewall logs send to garner for allowed firewall rule even if loggingis disabled

• NC-51964 [Firewall] DNAT rule stopped working after every reboot

• NC-52395 [Firewall] Getting wrong username in admin event for firewall rule group nameupdate

• NC-52429 [Firewall] Web access lost for 10+ minutes after HA fail-over

• NC-52638 [Firewall] WAF is not able to connect to webserver via IPsec tunnel

• NC-52662 [Firewall] Continuous receiving 'fw_fp_invalidate_microflows:459: Queueinginvalidate work ffff8801ed1bb5c0' error in syslog

• NC-52853 [Firewall] Observed feedback channel plugin of garner core dump on XG330

• NC-52873 [Firewall] Kernel warning message 'RIP: 0010:tcp_send_loss_probe+0x13f/0x1c0'observed in syslog

• NC-53364 [Firewall] Firewall rules are not getting created correctly using XML API

• NC-53988 [Firewall] Kernel panic on XG450 appliance

• NC-54038 [Firewall] Wrong notification message displayed after disabling firewall rule

• NC-55261 [Firewall] Appliance crashing with Kernel Panic

• NC-55789 [Firewall] Ipuser ipset dumps when user is authenticated via STAS

• NC-47482 [Firmware Management] Firmware mismatch issue - both firmware slots showingsame firmware

• NC-52441 [Firmware Management] Some time firmware 'install' opcode getting timeout andinstallation failed

• NC-38800 [HA] Incorrect error message when configure HA A-A with DHCP interface

• NC-39015 [HA] Unable to configure peer administration port for HA A-P when one of IP familyof the interface is Dynamic IP assignment

• NC-30485 [Import-Export Framework] Export full configuration some time fails with error - 'Therequest could not be completed'

• NC-39229 [Interface Management] XG unsynced with SFM when unbind any interface fromSFM

• NC-46514 [Interface Management] Cyberoam backup restore fails when DHCPv6 interfaceconfigured

• NC-48450 [Interface Management] Table for interface widget is not visible in control centerpage

• NC-49938 [Interface Management] Some time traffic drop in bridge mode

• NC-48956 [IPS Engine] Modify IPS TCP Anomaly Detection setting to disabled in defaultsetting


Sophos XG Firewall Fixed issues

• NC-53875 [IPS Engine] IPS keeps getting started because of page allocation failure

• NC-51568 [IPS-DAQ] Coredump in snort

• NC-52085 [IPS-DAQ] Wget not working for IPv6 sites in bridge mode - SSL decrypt not working

• NC-53363 [IPS-DAQ] Internet traffic hang and all traffic dropped

• NC-52641 [IPS-DAQ-NSE] IPS Service DEAD

• NC-54310 [IPS-DAQ-NSE] CC terminals not establish a connection with server

• NC-29370 [IPsec] Tunnel is getting established even though PFS is disabled on the VPN clientside and enabled in SFOS IPsec profile

• NC-49919 [IPsec] Dgd service stopped and unable to start

• NC-33848 [LAG] LAG advanced options not working when LAG is member of Bridge

• NC-40683 [LAG] LAG active mode import-export is not working

• NC-52090 [Logging] LogViewer: "Action is not Allowed" filtering not working in detailed view

• NC-52762 [Logging] LogViewer: system mentioned in upper case

• NC-46114 [Logging Framework] Improper input validation and email notification after failedlogin (Webadmin, SSH, ...)

• NC-50127 [Logging Framework] Garner coredump in HA setup at handle_sync_input

• NC-51942 [Logging Framework] Policy Test Tool not working if firewall rule created withdestination network as country or country group

• NC-37839 [nSXLd] Proxy authentication is not cleared after config reload

• NC-37841 [nSXLd] Keywords are not deleted when custom web category is deleted

• NC-54525 [RED] S2S RED tunnel doesn't established on SFOS after EAP2 to EAP3 upgrade

• NC-28022 [Reporting] Incomplete field names on data anonymization page

• NC-42864 [Reporting] Reports downloaded in PDF format have logo too close to the first line inmost pages

• NC-43183 [Reporting] When data anonymization is enabled, scheduled reports are showing"Not available" instead of anonymized string

• NC-45154 [Reporting] Cannot specify hour and minute properly in Detailed Custom Reports

• NC-45236 [Reporting] Reports sent 1 hour later than scheduled

• NC-46178 [Reporting] "Web Risks & Usage Visibility" not showing any data

• NC-49273 [Reporting] Filtering on blocked user activities not working as expected

• NC-52120 [Reporting] Daily Reports are received but it delayed by different time

• NC-52125 [Reporting] UTQ user data is empty in SAR report but populated in GUI dashboardreport

• NC-53072 [Reporting] Events reports (Admin, Authentication and System) are not generatingdue to db query for insert query getting failed

• NC-53369 [Reporting] Application Categories shown as "Unclassified"

• NC-54177 [Reporting] UTQ not generating due to change in web categories names



• NC-48718 [Service Object] Unable to edit service object that is assigned to a firewall rule

• NC-47585 [SFM-SCFM] Backedup 'central reporting' config is not maintained after Restoringconfig

• NC-53043 [SNMP] Wrong data is displayed in SNMP query for CPU usage

• NC-47348 [SSLVPN] LogViewer logs are not generated for ssl vpn connection up or downevents

• NC-55228 [SSLVPN] Site2site - SSLVPN client in HA is not initiating connection after activenode shut down

• NC-54150 [Static Routing] Data insertion is failing if large number of connections are presentand Live Connection page is loaded

• NC-54314 [Static Routing] Negative value is displayed in upstream/downstream bandwidthcolumn

• NC-51673 [UI Framework] User portal redirect loop when using non-standard port

• NC-55193 [VFP-Firewall] Port self test reboots appliance - V18 fastpath

• NC-23045 [WAF] WAF - Increase default TLS version to v1.2

• NC-51952 [WAF] WAF firewall rule update failed after migration from 17.5 MR8 to 18.0 EAP1

• NC-55034 [WAF] Web server timeout of 0 leads to syntax error in reverseproxy.conf

• NC-51156 [Web] Dynamic app filter rules which do not contain any applications is enforced forall applications in WIS

• NC-53402 [Web] Appliance auto reboot due to OOM (out of memory)

• NC-53709 [Web] Tiktok video not working with plain firewall rule with SSL/TLS enabled

• NC-54421 [Web] SSLx Exception based on SAC does not work

• NC-44346 [WWAN] Celullar WAN does not takeover again on failover


Documents

Sophos XG Firewall · 2020-03-06 · New features Sophos XG Firewall 3. New features The release notes site describes the new features introduced in XG Firewall 18.0. The left menu