XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
sec_request_body_no_files_limit in GUI
Allow setting secrequestbodynofiles_limit via the GUI for Web Protection policy.
Having to set via CLI tblwafsecurityprofile settings every time a WAF setting changes is very bothersome and leads to more downtime for customers.
https://community.sophos.com/sophos-xg-firewall/f/discussions/114221/413-request-entity-too-large
1 vote -
expand custom hostname Hotspots length limit
currently the custom hostname Hotspots length is limited up to 30 characters. If Sophos expand the database-field to more than 30 characters this would be great
1 vote -
expand custom hostname Hotspots length limit to more than 30 characters
currently the custom hostname Hotspots length is limited up to 30 characters. If Sophos expand the database-field to more than 30 characters this would be great
0 votes -
port monitoring
I know there was another idea post for Decryption port monitoring but I'd like to have full blown Port Monitoring as found on all managed or semi managed switches as well as most Ent grade Firewall apps from other developers so this would be a powerful addition for diagnostics / hunting over XG's own reporting functionality which Ive found isn't sufficient, Packet Capture is limited to 2MB at a time and their config and filtering doesn't have custom option facility.
Hope this idea gets votes and would love to see it added to XG sometime in the future.
1 vote -
port monitoring
I know there was another idea post for Decryption port monitoring but I'd like to have full blown Port Monitoring as found on all managed or semi managed switches as well as most Ent grade Firewall apps from other developers so this would be a powerful addition for diagnostics / hunting over XG's own reporting functionality which Ive found isn't sufficient, Packet Capture is limited to 2MB at a time and their config and filtering doesn't have custom option facility.
0 votes -
usable VPN App for Android
We need a VPN app for Android that can be distributed and configured via Sophos Central and can connect to an XG. This must be able to handle "VPN on demand" (Android Enterprise).
Central can already distribute certificates via SCEP, but neither the XG nor Central can create a useful, secure, easy-to-use VPN configuration for Android.
This is ridiculous2 votes -
HTTP/S bookmarks feature retirement in sfos v18
Our Customer need this feature....
See link -->https://support.sophos.com/support/s/article/KB-000038761?language=en_US1 vote -
mac vendor identifying
It would be great if the DHCP table would check the MAC Vendor and Display it.
This would make identifying certain devices in a Network so much easier.
Small solutions like a WLAN Router or bigger solutions like certain Firewalls have this feature but Sophos XG is lacking it.
Thank you beforehand.
5 votes -
Plz Allow PPPOE Client For Isp Provider
Plz Allow Xg Firewall On pppoe Username And Password For Client Side Prove then We Can Provide PPOE account For Client Side Isp
1 vote -
Log archiving in external server
As per my company policy we have to retain 3 years log, is there any way in Sophos xg where we can archive daily log reports to external servers automatically without using GUI.
1 vote -
Plz Allow Set Data Quata On Ip Rule
Plz Allow Set Data Quata On Ip Rule
1 vote -
DNS host entry - NXDOMAIN for IPv4 OR IPv6 instead of resolving it externally
For setting up a complex network scenario with split DNS it would be good if you could set also an NXDOMAIN entry/checkbox for IPv4 or IPv6.
Example:
Internally I want to have clients only connect to a specific service via IPv4, not via IPv6. Then I put in the DNS host entry for IPv4 and for IPv6 I set NXDOMAIN. Because if there is an external IPv6 entry the XG will deliver this one back as it can't resolve it internally.
Also this is a big problem if the external DNS host entry is a CNAME because it resolves the…
1 vote -
Multiple nat on single ipsec tunnel
Sophos XG210 failure to do Multiple NAT rules on IPsec Site-to-site VPN
Description:
We want to configure multiple NAT rules on IPsec site-to-site VPNs and the firewall only supports one NAT rule on each VPN. Please can we have advice on how to resolve this.
Please refer to case:ref:00D301GN6a.5003Z1DegHy:ref where support mentioned is not supported at this stage.
Also look at a previous request on this:
https://community.sophos.com/sophos-xg-firewall/f/discussions/84062/multiple-nat-on-single-ipsec-tunnel2 votes -
Remove Erroneous Blocked Websites
Please update the web protection categories to NOT block several legitimate websites. Several major software vendors are currently erroneously listed in the block list. This software is widely used and NOT a risk. Some example sites blocked are
Google Chrome Enterprise browser, Intuit Quickbooks, Adobe Acrobat, Adobe *
I could understand blocking these things if they were a risk but they are not. This is software that literally 100% of organizations use in one way, shape or form.
Please update these web filtering lists to allow updated on these critical apps. We shouldn't have to create dozens of exceptions to…
2 votes -
Wireless PSK Max/Min Lenght
The WPA2 field doesn't warn users if they input a value that is longer that what is allowed. Instead it saves the configuration and puts the wireless network in open mode without any security. All password fields within the XG should notify the user of the input restraints they have. They should notify a user of the min-max length. Complexity meter would also be helpful to improve users password choices.
2 votes -
Password Field
All password fields within the XG should notify the user of the input restraints they have. They should notify a user of the min-max length.
2 votes -
IPSec Remote Acess - Selection of other policy than the default one
To summarize:
Default re-key time for IPsec remote access is set to 4 hrs and does not have any option to change it from GUI. - This usually happens in the backend without any interruption (with only one authentication). However, if we have configured MFA then it will prompt for the OTP after every 4 hours as it requires reconnecting.
Administrators may be able to config this behaviour as well be able to associate the IPSec Remote Access to another Policy than the default one.
3 votes -
Implement proper ARP handling in multi-interfaces setup ( ARP FLUX problem )
Dear Sophos!
Implement proper ARP-FLUX problem handling in multi-interfaces setup.
ARP-FLUX:
The ARP Flux problem occurs when a host replies to ARP requests for interfaces on the same subnet, from any interface on that same subnet. ... However, in specific cases, ARP Flux generates unexpected behavior of applications due to incorrect mapping between IPv4 addresses and MAC addresses.FIX:
echo 1 > /proc/sys/net/ipv4/conf/all/arp _ filter
echo 1 > /proc/sys/net/ipv4/conf/all/arp _ ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp _ announceecho 1 > /proc/sys/net/ipv4/conf/default/arp _ filter
echo 1 > /proc/sys/net/ipv4/conf/default/arp _ ignore
echo 2 > /proc/sys/net/ipv4/conf/default/arp _ announceRequest:
Make this settings default,…1 vote -
STAS support LDAPs on eDirectory mode
This feature request is in response to the realization that the STAS Agent cannot establish encrypted LDAP communication to a backend eDirectory server.
Problem: It is not possible to set up the STAS Agent in eDirectory mode with an encrypted (port 636/tcp) LDAP connection. Only a plain text LDAP over port 389/tcp is supported at this time. (We wrote the year 2021 for all readers).
Function: Establish the configuration option and support encrypted LDAP communication to eDirectory server over port 636/tcp for the STAS agent of Sophos XG Firewall.
3 votes -
report
Dear Team
currently not able to check user wise web and application report like who is using tor proxy or any other web or application.
example i have downloaded movie from any web but there is no option to find which user have access which application.
1 vote
- Don't see your idea?
