Webserver Protection forms authentication do not have any kind of validation for wrong username or password. IF a user types in incorrect credentials there is not notification why, just reloads page. This product is not ready for production without it. Even the Hotspot login page have customization for errors. https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/LoginPageTemplate.html

Regardless of clients PC network, there still need to be a mechanism that allows heartbeat monitoring. Only having a feature that is network dependent defeats a centralized management system. With multiple remote clients and offices not having the ability to monitor these stations because they are not on the same network as the firewall is very limiting and not practical.

Download restriction of sslvpn configuration file for user in user portal

It will Be Helpful to back to old method Auth. between AD and SFOS like UTM that will be decrees the most of the STAS problems.

Let the admin can use deny-all to be as default when creating a new one. it will be helpful to block all ports and IPs not only mentioned APPs.

Currently there is a limit of 50 configs in OpenVPN GUI.
There are already prereleases of the original OpenVPN GUI which remove those limit and add nested configurations.

I would like to see that in Sophos XG SSL VPN Client too.

When you configure the quarantine digest to reference the external IP address of the XG unit, the digest email references the "Admin Console Port". This is absolutely absurd. It effectively means that I need to open up access to the Admin portal to the entire world without restriction - this is a MASSIVE security risk.

The easiest solution is to change the XG to use the User Portal port for the "release" link under the action heading.

@Sophos Development Team - When can we expect VRRP on XG, or between the same and or different XG models? FortiNet is on speed with this feature and I've used it many times on Forti before. It really came in handy with different scenarios.

As long as you open a https page via browser you may see that there is an ssl verification error and xg did block traffic.

as tls verification is also implemented in FTPS (Scan FTP for Malware) you wont get any message on fails, you just can imagine that traffic won't pass because of an tls error.

same if https is use by applications e.g. internal software updates

Hello,

we would like to have a diagnostic tool to test firewall rules with geo restriction.

At the moment it is difficult to test geo restriction if you dont got any host from a certain country / IP-Range.

Thanks!

RBL type group can be used in Blocked client networks of Firewall rule.
If the user's email password is leaked, the hacker will use the managed host to connect to the mail server. Most of these hosts come from low-reputation IP addresses, so we can deny connection requests from these low-reputation IPs in the business policy.

Mac and Linux client are currently not able to send there heartbeat over the SSL client VPN.
How can we ever build a secure network for everyone?

Heartbeat client list must be avalible at ANY time not only if there is a missing or at Ristk client.
Otherwhise there is no way to determ which client is registerd with heartbeat (esspecially as live connections heartbeat clients differ from Security Heartbeat status).

The RED service should be considered a Local Service and allowed to attach to the Zone of our choosing. This would allow us to easily add Local ACL's to limit which external IP addresses port 3400 is open on among other things. As currently configured having port 3400 open and using a self signed certificate fails PCI compliance scanning.

Through Public IP Remote login Live user monitoring option

It would be great if Master and ***** are identified in HA configuration. It is not possible to know which one is the master, only the active and standby.

I need to make a URL redirection for all Wi-Fi guest access once they are filling its details and submit the form they are enjoying internet access. Where I can make the following:-
1. VLAN configuration: Wi-Fi port to be configured as a VLAN based URL redirection.
2. Condition: Access to the internet based on the submit button inside the form.
3. Use mac address criteria in case the same customer need to access the Wi-Fi in the next day he will don’t need to fill the form again.