XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow selection of CA Certificate to enroll SSL VPN User's certificate

    It would be great to allow selection of CA Intermediate certificate used to enroll SSL PVN Users Certificates (like already done for Web Scanning)

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Provide a way to check vulnerabilities for coverage by current IPS signatures

    To assess ones current level of protection, being able to check coverage of known vulnerabilities (e.g. by CVE-ID) is desirable. Implementing a solution to lookup IPS-signatures for coverage of specific CVE-IDs would be helpful.

    15 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Orderly Shutdown of XG HA Cluster from GUI

    Orderly Shutdown of XG HA Cluster from GUI
    When the admin selects shutdown in the GUI if the XG Firewall is part of a HA arrangement either Active/Passive or Active/Active it would be a good idea to automatically conduct an orderly shutdown / restart of the HA cluster in a seamless manner. This could avert the potential for any corruption related to sync failures etc.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Socks proxy

    As in UTM 9.x there was an option to use the utm as socks5 proxy using port 1080, that was very helpful when you try to connect lan computers to remote servers over the internet without the need to open firewall rules o natting, ie. bank applications to transfer data between pc and bank office using secured channel instead of web browsing.
    We used to run Hummingbird socks proxy client.

    38 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Firewall rule filters should be persistent

    If you filter firewall rules, then edit a rule, the filtering is lost and you have to re-apply the filter. This is a nightmare when you need to update 10 different firewall rules. Filtering should be maintained until it is cleared.

    28 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Multipath rules and same wieghting as SG

    There is no ability on the XG to place Multipath rules or set the weight of an internet line to 0.

    For example on the SG you can set a weight as 0 and then create a multipath rule to route certain traffic out via different gateways, and if that gateway goes down it automatically routes traffic out of the next.

    This is a basic feature of any firewall.

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Option to use QoS by Policy instead of user/group with Authenticated access

    Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.

    When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.

    Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. MAC based authentication

    Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
    Sophos support says, such a feature is not available. Please bring the feature back.

    Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only

    70 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Device Type and OS type detection, so can apply rule by it.

    please we need to apply rules by device type or OS type.
    which most of our customers ask for it, cause it included on other firewall.

    93 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. XG as OpenVPN client

    The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
    I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

    26 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support for DNScrypt

    Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

    36 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Weak hand shake - SSL VPN

    Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
    Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
    3DES-EDE is known to be weak.
    I think this is a serious problem for such a nice firewall.
    Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

    40 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Native AWS VPC VPN Support

    The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.

    13 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Clientless Users Surfing Quota (Recurring )

    We have a Requirement for having a Surfing Quota option for Clientless users . This would block all Web traffic instead of Logging out the user from Live connections .Since its Clientless but with benefits of an Client based users.

    18 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Anti-malware between zones for all protocols

    XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
    Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
    Thanks

    45 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. OpenVPN like SSL APP for Android / IOS

    SSL Client APP for Android / IOS

    Sophos should develop its own APP for mobile devices instead of using openvpn app, which is currently causing connectivity problems with Sophos XG SSL VPN. Competitors like Fortinet, SonicWall etc have their own app.

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. IPSEC and SSLVPN site-to-site auto fallback to primary link

    VPN tunnel (both SSL and IPSEC) does not revert to its primary WAN interface, manual disable and reenable the Failover group/SSLVPN Client status for the tunnel to be established via Primary WAN interface.

    23 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. User bookmarks in clientless portal

    it would be great to allow user to add their own bookmarks or to allow group bookmark AND user bookmarks on admin interface for a given user.
    at the moment, you can only give access to a group bookmark.

    since SMB bookmark seems to need authentification (at least i was not able to make them work without automatic login), each user needs a different group of bookmarks!
    it's a mess and a considerable amount of work.

    13 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Implement support for dynamic/public IP/URL blacklist feeds

    Alienvault has OTX (Open Threat eXchange) and there's https://intel.criticalstack.com/.
    There's also a very big player, Palo Alto Networks that provides Minemeld (see links at bottom of this post).

    They all provide public feeds of known hostile IP addresses/ranges and URL's*.

    I would really like to be able to make use of such feeds so I can create specific rules on my firewall to block all incoming traffic from these sources and possibly outgoing URL requests to known C2 servers.

    If this blocked traffic (the outgoing attempts) is logged in a specific log, it would have the additional benefit of…

    53 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow ICMP request from WAN on Public Alias IP Address

    Hi,

    on WAN port we have multiple alias public IP Address. now i want to allow ping only particular alias IP Address from outside world to check the wether the Server is up or down purpose.

    so please include this feature XG Firewall.

    we have urgent requiremnt for this because we are in ISP businees so we want to allow ping request from any source.

    Regards,
    Kamal Patel

    24 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.