XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Private VLAN

    Currently the Sophos UTM / XG do not support Private VLAN's. This is a major security feature that is being used more and more often especially in virtualised environments with VDI's, DMZ's or even sensitive / untrusted local equipment at an office campus.

    With the addition of private vlan you can prevent these devices from communication with eachother. However Sophos does need to support this feature. Currently the virtual variants do support it thanks to VMware but the hardware variants do not.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Show full DUID in IPv6 Lease Table

    I would find it useful if under Configure -> Network -> DHCP -> IPv6 Lease, the table showed the complete DUID for the clients. The easiest method that I can find to create a static IPv6 address for a server or other client is to find it in this list then create the static IPv6. At the moment, only part of the DUID is shown making it impossible to copy and paste into the static lease table. To insert it into the static lease table I need to copy it out manually.

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. WAN inbound Failover / block inbound traffic on Backup WAN

    Currently, inbound traffic is allowed on all WAN lines, the Active and even on the Backup WAN lines! This is unacceptable.
    Inbound traffic should only be allowed on the ACTIVE line, and be allowed on the Backup line ONLY when a failover occurs.
    The XG is advertising a Failover function that is in effet allowing Load Balancing. This is a problem for more costly backup lines that are as their name clearly says "Backup" lines, not to be used unless a Failover occurs. Unless a WAN link is Active, it should not be allowing traffic thru it!!
    This to me…

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Sandstorm - FTP Scanning

    [Allow Sandstorm to scan FTP access]

    Allow sandstorm to scan FTP access; also allow FTPS interception for Sandstorm.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Use IP range for ssl vpn user remote access

    can not give the ip range for ssl vpn user access, only access by all network or particular host.
    Please check this features,

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. VPN Web portal

    In the industrial controls field we use devices such as the Phoenix Controls mGuard VPN router to allow remote access to internal networks via VPN. It works in a similar fashion to a RED device in that the router automatically creates a VPN to the cloud based system that the user then also creates a vpn connection to from their PC. The web based interface then allows the user to create a secure tunnel between their PC and the remote site. It would be great to see this kind of functionality on Central. If the XG could automatically create a…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Static route monitoring/tracking for failover

    Sophos XG has the function to configure static route, but when two routes are configured for the same subnet with different metrics, it does not understand when to do the failover and to go to the larger metric.
    What draws attention is that it is possible to configure, but it does not work.
    Our suggestion is that we can configure static routes with probe so that XG can understand when to disable a static route and forward the packets to another static route with a larger metric

    19 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Show preshared key in IPSec

    In previous firmware we used to be able to show the existing preshared key in the IPSec configuration but this option appears to have been removed. Can it please be reinstated?

    17 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Show PPPoE password

    Can we please have an option to show the current PPPoE password in the Network configuration section?

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Pagination Options for Clientless Users Dashboard

    It would be great to be able to display more Clientless Users within the Clientless Users screen. When dealing with large ranges it becomes tedious to alter the status of say an entire /24 worth of users.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Clientless User - Distinguish Between "Enabled" and "Active"

    When using the Clientless User feature "Active" really just means "Enabled" and it shows up within the Active Users section in the dashboard. What would be really helpful is to know the actual "Active" users and not just the "Enabled" users. We use Clientless Users to define several DHCP ranges, and in the dashboard it looks as if every IP is active, which isn't true. There is just an "Enabled" use associated with it.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Enabled Clientless User Upon Creation When Adding Range

    We have a small college campus and several /24 networks full of IoT devices that aren't managed by our organization.

    Currently if you use the "Add Range" feature you have to go back through and "Activate" all created users which becomes tedious very quickly. It would be nice to add an option to enabled all users upon creation when using the "Add Range" feature.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Modify Recommended Action on IPS signatures

    Allow the user the ability to modify the Recommend Action setting for system-defined IPS signatures.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow the ability to download\manage Snort rulesets

    There is a plethora of Snort rulesets that should be of great value to XG users but implementing these at present seems horribly difficult.

    Snort users have a lot of flexibility in terms of managing the rulesets within the application - it would be great to have more of that here as well.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. 15 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. IKE v2 remote access support

    Now in firmware v17 there is support for IKE v2. But it is still not possible to use it for remote access.

    23 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Data Loss Prevention for web & apps

    Request for adding a "Data Loss Prevention " feature in XG Firewall

    Dear Developer Team,
    We should permit users to login a public Webmail, Public Cloud Storage or Social Media, but i don't want to permit to attach/upload data OR i can permit to upload a specific file size, In this way i can block a possible disclosure of corporate DATA.

    I hope you will consider this & will get soon this feature in upcoming firmware.

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. User DNAT Rules

    We have a requirement to force all outbound DNS requests to particular IP's. But we cannot create a DNAT rule to do this on the XG, even under SFOS 17.0.0 GA. The DNAT has to be an IP and cannot be a network, can this be changed to allow networks, ideally ANY?

    Thanks,
    Nick

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Show IPsec Connection Detail for ReadOnly-user

    With a RO-user this user can only see if the tunnel is up or down, not the "Connection Detail" with all connected networks. The Connection Detail page loads, but the user is not able to see any network.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add SNMP Service to Local Service ACL Exception Rule

    I am requesting this feature after talking to support about trying to replicate functionality from Cyberoam OS to Sophos OS.

    In Cyberoam I had restricted SNMP access to a group of IP addresses on the WAN interface to allow the ISP to graph network traffic.

    I was able to achieve this in Cyberoam OS by using a WAN > LOCAL firewall rule. The LOCAL zone is not available in Sophos OS.

    One technician told me I could achieve this by making a WAN > WAN firewall rule? But I was later told that would not work.

    I noticed there is…

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.