XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SFOS 18 - WAF erorr log - WEB viewer VS /log/reverseproxy.log - Improvement debugging - faster debugging

    Hi Sophos,
    I'm a Sophos Architect.
    Using WAF functions in deep, I'm amazed about the necessity to tail the reverseproxy.log to obtain the ID field of the error [id "<rule number>"].
    In the WEB log viewer, under Web Server Protection, I don´t have this information!!!
    Why?
    Is it complicated to get this [id "<rule number>"] in the WEB log viewer?
    Thank you for implementing this function in the next release.
    Regards
    Alexandre Rastello | Consultor Sénior - Tecnologias Informação | Sophos Architect

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Request for WAF TLS1.3 Support

    Request for WAF TLS1.3 support feature.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow more than 60 HTTP-based/WAF policies - URGENT

    I reached the limit of 60 HTTP-based / WAF policies. I am migrating the rules from an ASG to an XG. We still have to create more than 18 policies. Please urgently need this limitation to be removed or extended.

    21 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. 2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Enable/Disable Ciphers

    Add option to disable ciphers.

    TLSRSAWITHAES128CBCSHA TLSRSAWITHAES128CBCSHA256 TLSRSAWITHAES128GCMSHA256 TLSRSAWITHAES256CBCSHA TLSRSAWITHAES256CBCSHA256 TLSRSAWITHAES256GCMSHA384 TLSRSAWITHCAMELLIA128CBCSHA TLSRSAWITHCAMELLIA256CBCSHA

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. XG Firewall should allow option to keep domain name while changing or renewing certificate

    We have an issue with XG Firewall as it not allow to renew certificate while it is in use and if we create new certificate it removed all custom domain name from Domain field and there is no option to keep these domain names. We can't copy paste or import these domain names and if we add domain name one by one which require lot of time and effort. Please provide an option to us so we can keep existing domain name while changing certificate.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Actual OWASP / ModSecurity Rule_ID to WAF Logs

    Coming from UTM used to at least include the rule id in ModSecurity that caused the block. Under XG There is no ID so it is currently impossible to identify the rule that needs to be white listed.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. WAF is unable to protect exe file upload

    I am handling XG750 v18 sopohs firewall. WAF is also implemented. but WAF is unable to protect exe file upload in server. IWAFed website should protect to it(i.e. manage custom policy for to allow or deny upload any type of file in server . Even from server side exe upload is allowed, but from WAF it should be turned off.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Do not add "Cache-Control: no-cache" to header when publishing web through WAF with form autentication

    Do not add "Cache-Control: no-cache" to header when publishing web through WAF with form autentication. It was discussed in support ticket #9847958:
    "According to the development team, Header "Cache-Control: no-cache" is set by reverse proxy for pages protected by reverse form authentication. This is necessary because requesting protected pages must be checked against the origin server."

    When publishing web with no autentication or with basic authentication, it is OK and no caching is affected.
    All webs published with form auth are extremly slow because all requested items (jpg, css, script, ...) are transfered from XG every time user clicks or…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow more than 60 HTTP-based/WAF policies

    I've hit a limit of 60 HTTP-based/WAF policies, and I need more. I was told this is hard coded to limit it to 60. I'd like to get this increased.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Update SSL Certificate on WAF rules removes listed domains / add possibility to add wildcards

    When updating a wildcard certificate under Firewall - Business Rule - WAF, an error pops up stating that *.domain is invalid and removed. Next, all domains currently listed are also removed. To add again (and again) all domains used with a wildcard certificate is time consuming and faults are easily made.

    Stop removing all domains, or make an export/import possibility. Better yet, accept wildcards just like the UTM did, and let the webserver handle the URL's.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. web server category

    IPS Policy rules category for Linux based Web Servers.
    Select rules category to apply for Linux Based Web servers.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. x-header forwarders in XG Firewall

    Please add x-header forwarders in XG Firewall to see real IP addresses from Cloud fare or CDN networks.

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. ciphers

    Hi,

    Kindly add the following cipher support in XG Firewall for Web Server protection:

    TLS1.2-DHE-RSA-AES-256-SHA256
    TLS1.2-DHE-RSA-AES-128-SHA256

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow "IP Range" on “Access Permission”

    If you do “Add new item” on “Access Permission” then it does not show any IP host that are configured as “IP range” for example I wish to add host “IP-Group-1” which is there and shows correctly when you look in IP host section. But it allows you to create a new range at that point but not use existing. I think this is more of a bug than a request but support told me to log it here.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Schedule WAF rules

    Version 18 has changed how Business Application Rules work. DNAT is done by a combination of NAT policy and regular firewall rules, which can have scheduled on/off times.

    WAF/Webserver Protection rules cannot currently be associated with schedules.

    This item is created so that folk who previously supported the Business Rule schedule feature because of a WAF requirement can transfer their votes here.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Microsoft sstp vpn pass through WAF rule

    At the moment, it is not possible to publish Microsoft SSTP server through WAF rule. Traffic is blocked at the Proxy module level. It would be good if this module were told about SSTP.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Customise WebServer Protection Block Page Messages

    Currently, the ability to customise the Webserver Protection block page messages is not present.

    When the WAF (Web application Firewall) blocks a page, it returns 'page cannot be display'. This should be customisable.

    The AntiVirus engine on the WAF should also be customisable on the block page returned.

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Web Server Protection should support multiple group membership

    Recently we have create a new ticket with Sophos support (#9307623) and they confirm that 'at a time a user would be part of one group'. It leads us to the hard way when having 2 websites which are needed to be authenticated with 2 domain groups, and from them, we have multipla users who are belonged to these 2 groups as well. Therefore, we can not separate to authencate these ones properly.

    I suggest Sophos should improve this feature to make customers easy to configure many authenticated websites appropriately.

    Thanks.

    34 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Ability to use non standard port for configuring web server under XG

    Hello Team,

    We have customer here requesting to use a non standard port (other than port 80 and 443) for configuring web server under XG. For your assistance please. Thank You.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.