we need ip sla feature for high latency fail over while we using two links if one link goes to high latency we need to switch over to secondary link automatically.

Allow for exceptions to be created that will allow the traffic to go direct to the internet bypassing VPN configured as full tunnel for both SSL and IPsec VPN. This is recommended by Microsoft for Office 365 traffic.

https://techcommunity.microsoft.com/t5/office-365-blog/how-to-quickly-optimize-office-365-traffic-for-remote-staff-amp/ba-p/1214571

Alternatively it would be even better if Sophos can build in this functionality within the OS making it an option that can be enabled/disabled.

SSL VPN tunnel should be established with SUB Interface IP of BSNL which is public-facing and the main Interface IP is Connected to BSNL as L2 LAN.
We can establish connectivity using Sub IP to IPSEC Tunnel and to Serve Internet to users but can not able to connect using SSL VPN as the Main interface IP is L2 LAN and Sub IP is public-facing.

Please allow XG Firewall to support MLPPP (Multi-LInk PPPoe) so we can bond two DSL connections together! I see Sophos UTM already supports this.

Possibility of full text search in firewall rules

Functionality that allows you to tailor notifications.
For example, a fault discovered and has maintained a fault for 15 minutes then sends out the notification instead of constant up/down notifications.

Dear Support,

We need the following option on sophos XG Firewall.

Suggetion: while connecting to sophos remote ssl VPN, we need the option of prioritizing the primary or secondary ISP on Firewall.

Add ability to export active (in case filtering is applied) firewall/NAT rules with their stats to CSV or PDF for external reporting requirements.

Country Blocking should have an option for blocking the uncategorized Public IPs,
These are noted as not belonging to a country, these do not get blocked by default, I would like an inclusion of a group called "Uncategorised", and this would block all the Public IPs that have no categorisation, and exception can always be made later if they are required, this also happens on the SG UTM boxes as well.

We want to allow ICMP request from WAN on Public Alias IP address to check whether the internal host is up or down. Internet should not be able to ping the NAT public IP address if the host is down. Any ideas how to do it?

Hi all,

It would be great if you could test published services in the "Policy Tester" section.

Specially since you're trying to push v18, why not add that possiblity? The policy tester already can tell you rule and NAT of outgoing traffic to the internet.

And since decoupling NAT and firewalls rules will cause a lot of NAT rules (specially mid to large companies), checking those in the little screen that SFOS provides its not great.

Thanks!

Sophos Connect client IPSec connections generate separate log events for EVERY SUBNET mapped. There is no single event that any SIEM recognizes as a VPN login event. Every other firewall vendor we've tried doesn't have this issue.

Please bring AES-NI support for the software version of XG.

As you can read in this thread it is not yet supported:
https://community.sophos.com/products/xg-firewall/f/hardware/119782/hardware-acceleration-aes-ni-isn-t-being-used-on-the-software-version-of-xg-v18#pi2151=1

in wifi voucher i suggest to add voucher with long period of validity but with a limited daily quota

as example voucher valid for one year with limited daily quota 500mb

In the application filter there is an category called "e-commerce". When you look inside the application list, you can see a lot of banking apps listed but also Ad-Server apps and tracker. It would be nice when there is seperate new category like "Ads & Tracker". This would make it more easier for the administrator to filter and block unproductive web apps.

Xg Firewall doesn't support "Scan FTP for malware" scanning of FTP traffic for explicit over TLS