Sophos XG firewall servers with Sophos Central shown on a Apple Mac screen

NEW Sophos XG Firewall v17.5

Last updated: 31st October 2018

Sophos announce major new release of XG Firewall v17.5! In this huge release, there are new features which will appeal to educational institutions including New Web Policy options and Chrome Authentication. This release also brings XG Firewall management to Sophos Central, new Synchronized Security features, Wireless APX support, and a lot more top requested features.

What’s New:

Here are the top education features in v17.5:

Chrome Authentication

Chromebooks are increasingly popular in education, but they create a unique set of challenges for user identification with network firewalls. XG Firewall v17.5 provides a Chromebook extension that shares Chromebook user IDs with the Firewall to enable full user-based policy enforcement and reporting. Pre-requisites include an on-premise Active Directory Server synced to Google G suite. The Chrome extension is pushed from the G suite admin console providing easy and seamless deployment that is transparent to users.

Classroom web policy overrides

It allows authorized users, such as teachers, to override blocked sites on user devices – temporarily allowing access. Administrators define which users (or teachers) have the option to authorize policy overrides. Those users can then create their own override codes, like simple passwords, in the XG Firewall User Portal and define rules about which sites they can be used for.

Codes can then be shared with End-users in the classroom, who enter them directly into the block page to allow access to a blocked site. Override code rules can be broad – allowing any traffic or whole categories – or more narrow – allowing only individual sites or domains – and can also be limited by time and day. And to avoid abuse, codes can easily be changed or canceled.

Administrators can see a full list of all override codes created and disable or delete them, as well as defining sites or categories that can never be overridden. There is also a new report providing full historical insight into web override use.

Web Policy-based SafeSearch

Web policies have been expanded to include many settings that were previously global configuration options. Search engine enforcement, including SafeSearch and YouTube restrictions, along with download file size limits, and Google App domain restrictions are all set on a per-policy basis now providing much greater flexibility in how these controls are applied.


Here’s a quick overview of the key new features in v17.5:

  • Sophos Central Management of XG Firewall with new features for backup and firmware management, as well as a new zero-touch deployment option
  • Synchronized Security features including Lateral Movement Protection to prevent threats from spreading on the same network segment and Synchronized User ID to eliminate the need to integrate with Active Directory for user identification
  • Wireless APX access point support offers support for the new Wave 2 access points, providing faster connectivity and added scalability (and will come shortly following the main v17.5 release in MR1)
  • Education features such as policy-based control over Safe Search and YouTube restrictions, block-page overrides, and Chromebook authentication support
  • Email features with Sender Policy Framework (SPF) anti-spoofing protection and a new MTA based on Exim which closes a couple of tops requested feature differences with SG UTM
  • IPS protection is enhanced with the Cisco Talos IPS pattern library and more granular categories
  • Management enhancements including enhanced firewall rule grouping with automatic group assignment and a custom column selection for the log viewer
  • VPN and SD-WAN failover and failback including new IPSec failover and failback controls and SD-WAN link failback options
  • Client authentication gets a major update with a variety of new enhancements, such as per-machine deployment, a logout option, support for wake from sleep, and MAC address sharing
  • Airgap support enables XG Firewall to be updated via USB in situations where XG Firewall can’t get updates automatically via an internet connection due to an “airgap” or physical isolation (coming shortly following the main v17.5 release in an MR)
  • Sophos Connect IPSec VPN client, free for all XG Firewall customers, that makes remote VPN easy for end users (not part of v17.5 but being made available at the same time for early access)

Additional Resources:
Watch this 30-minute SophSkills recording to see a more comprehensive overview of what’s new, including screenshots and how many of these features work.

Download the What’s New in v17.5 PDF overview and PowerPoint presentation, detailing all of the new features.

Leave a Reply

Your email address will not be published. Required fields are marked *