XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SSL VPN MFA

    With a SSL VPN client with MFA enabled, the login form needs to display either another text box to insert the MFA code or a message stating that a MFA code needs to be appended to the password.
    The current login form is rather crude and causes a lot of helpdesk calls because they don't realize ( or keep forgetting) that their MFA code needs to be inserted after their password.
    An upgraded form with logo that looks more professional would be my preference please.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  2. Synchronized Security Heartbeat Between 02 or more Sophos XG

    As the Title, Clients with the gateway on CoreSW can not use Heartbeat to the Internal Firewall XG because the Heartbeat packet is route by the External Firewall XG.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
  3. Policy Test should display blocked for unauthenticated users

    When the option "Use web authentication for unknown users" is selected in the Firewall Rules, the Policy Tester shows the result as "Allowed" even for unauthenticated users. I suggest it should display as Blocked for unauthenticated users.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  4. Network Map

    I suggest the implementation of network map visualization to watch os type, hostname, IP, open ports and manage their network access.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. WAN Interface DNS

    Any interface configured as WAN cannot have their's ISP's internal DNS server configured right on the interface, just have to use those 3 DNS servers on the DNS page. Adding this function will allow many ISP DNS Servers to respond faster for any resolution, increasing the response time for the request for that ISP that runs better than with public DNS Servers, and making the end-users more unsatisfied with the WAN performance.

    Just adding the option to set DNS Servers on the interface configuration for each WAN will resolve this issue.

    6 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. Apply QoS / routing rules to XG generated traffic

    It would be really useful if you could apply QoS and routing policy to data generated by the XG, such as signature updates. So these updates do not impact the WAN bandwidth low speed links.

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. Select which pattern module updates are downloaded automatically

    We have a number of XG firewalls connected to very low bandwidth / high latency WAN connections.

    On the old Cyberoam OS it was possible to select which pattern modules are updated automatically. This saved unnecessary data being downloaded as we only need IPS and Application signatures to stay up to date.

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow Link-Local IPs for Health check AWS uses them for interface IPs

    Allow Link-local IP for Health check under gateways. AWS uses link-local IPs for interface IP so if you are using tunnel interface mode for ipsec and have both gateways setup for failover you are unable to use a health check currently because you do not allow link-local IP. You are able to ping it though device console so it would work if you would just allow Link local IPs

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  9. Easy Routing

    please add an option for easy Routing information to choose between only ipv4 or ipv6 for networks which have both and uses DDNS

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  10. PPTP - Set timeout for users that are inactive

    We have users who are connecting via PPTP to the VPN that are not terminating their PPTP VPN session on their PCs. They are using Windows Built-In VPN application to connect.

    This results in a single user having several sessions taking up IP address from our set VPN IP range.

    Unless I'm not seeing it, can the option to terminate PPTP VPN sessions based on activity be added?

    We're using SG330 (SFOS 18.0.4 MR-4)

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  11. cisco

    Cisco ASA to Sophos XG Migration tool

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. WAF Source Filter by FQDN

    Currently WAF rules can only have their source filtered by IP or by Network, while regular DNAT rules can be filtered by IP, IP Range, IP List, MAC Address, MAC List, Host Group, Network, FQDN Host, FQDN Host Group, or Country Group.

    I'd like the functionality of the WAF source filter to be expanded to have the same capabilities as a full DNAT rule.

    I'm specifically after the FQDN host so we can filter and use DynDNS hostnames but the other things would be handy as welll

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. synchronised ID authentication (Heartbeat) for different UPN domains in one DC

    DCs can only authenticate against one UPN domain. My AD uses several UPN domains, so that e-mails coincide with user accounts, as we own different domains. So I can only use Heartbeat authenticacion with users in the same domain as configured in DC, or I have to create as many DCs as domains, which does not make any sense.

    Can you enable the capability to authenticate against different domains, by allowing to add several domains in the domain field of the DC access server?

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
  14. http waf connections reset after changing remote desktop waf template rule

    as described in your article: https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/MicrosoftRemoteDesktopGateway2008andR2.html
    As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.

    This should not happen, and it should be corrected.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support for Industrial Control and Automation Protocols (SCADA) in DPI / IDS

    Idea originally posted by TheMachineWhisperer in 2018 but never responded to by Sophos.

    Security for industrial automation, critical infrastructure, and SCADA systems is very much a critical issue.

    We would like to see some development to include capability for Deep Packet Inspection and control of industrial control protocols such as:

    Modbus TCP
    Ethernet/IP (CIP)
    OPC Classic (DCOM / RPC)
    Siemens S7
    DNP3
    etc.

    Inclusion of rules for these into IDS and would also be welcomed.

    A number of vendors approaching us are starting to get into this specialist area of the market and it would be great to see Sophos…

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. API user last login other details

    Want to get the following details for VPN users.


    1. User create date

    2. User last modified date

    3. User last connection date

    4. User last date of password change

    This information via API would assist with internal compliance audit and auto disable of accounts not in use as well as automated emails to change passwords.

    4 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  17. Bandwidth Graph for IPSEC VPN Tunnel

    Bandwidth graph for IPSEC VPN tunnel gives us the overview of the traffic consume by the VPN tunnel currently which is not possible in Sophos XG, only the interface graphs can be view.

    5 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable/Disable SSL/TLS inspection per firewall rule

    In v18 of SFOS of my XG firewall, SSL/TLS inspection is a global on/off setting. I would like to be able to control the use of SSL/TLS inspection per rule instead of globally.

    I have an old copier trying to send secure emails and the inspection engine is erroring out with a timeout error. There is no way to make an exception for this. If could just create a new firewall rule so this copier could send out emails would be great while leaving SSL/TLS inspection enabled for all the other rules. v17 everything worked fine.

    3 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Quarantine report - Phishing/Spoofing

    Sender field, in quarantine report email, currently presents only the forged/fake address of a Phishing/Spoofing email.

    A good idea would be to add the real Sender Address, and maybe color it with RED to be eye-catchy and alert the user to pay attention to it.
    Alternatively, display only the original email address.

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. IPSEC Site to Site with IKEv2 and RSA Keys should rekey instead of reauthenticating when phase 1 expires

    Actually, when phase 1 expires with IKEv2 and RSA-Keys, reauthenticating happens, which is leading to a short VPN interruption ans the corresponding log entries showing the connection as down and up again.
    I'd like to propose to implement "reauth=no" in the VPN Configuration. This will lead to rekeying instead of reauthentication when phase 1 expires. Rekeying happens on the fly without interrupting the tunnel and also without the log entries.
    This feature request was created based on the Sophos support ticket number [ ref:00D301GN6a.5003Z1728jB:ref ].

    5 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 92 93
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.