XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. XG VRRP Support

    @Sophos Development Team - When can we expect VRRP on XG, or between the same and or different XG models? FortiNet is on speed with this feature and I've used it many times on Forti before. It really came in handy with different scenarios.

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
    • Heartbeat client list must be avalible at ANY time

      Heartbeat client list must be avalible at ANY time not only if there is a missing or at Ristk client.
      Otherwhise there is no way to determ which client is registerd with heartbeat (esspecially as live connections heartbeat clients differ from Security Heartbeat status).

      2 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
      • Dual-Stack (IPv4+IPv6) Single Sign ON

        The IPv6 is a reality and their are lot of installations who have dual-stack network in operations, Essentially meaning the user has both IPv4 as well as IPv6 IPs and he has to currently authenticate on both of them independitally.

        Instead the Signon page when loads in the user browser should be able to detect both the IPv4 as well as IPv6 address reachibility from the client to the XG firewall and the username/password provided should be used to authenticate for both of them.
        We have to make a workaround using our internal servers to do the same as we…

        2 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
        • Master and ***** identification in HA

          It would be great if Master and ***** are identified in HA configuration. It is not possible to know which one is the master, only the active and standby.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
          • Change power button to allow graceful shutdown

            It would be great if the behavior of the power button on the back of XG appliances could be configurable.

            At the moment if you press the button on an XG85 the unit turns off immediately.
            We'd like to change this to trigger a graceful shutdown.

            We have appliances that tour and are setup and packed up every few days and would rather be shutting them down properly.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
            • Force Sync AD Server

              https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/97083/how-to-force-an-ad-sync

              I have an AD connector located under Configure - Authentication - Servers and that is reading in a few groups from AD and a bunch of users.

              If I remove a user from one of the groups in AD and add them to another group in AD, the change doesn't seem to reflect reliably in the Sophos.

              6 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
              • Combine IPv4 and IPv6 firewall rules

                There should only be one list of firewall rules, with IPv4 and IPv6 as options within each. So each rule can apply to v4, v6 or both simply by toggling the appropriate check box. (See pfSense. This is how it handles firewall rules and it's far superior.)
                The current separate list of IPv6 rules requires double the effort to set up matching rules and can result in overlooking one or the other protocol.

                2 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                • Assign multi IPs to a single clientless user

                  Allow multi IPs (predefined as static) to a single clientless user. This will be especially helpful for environments with lots of IoT devices, as they can all be assigned as by groups to a multiple users, greatly increasing the readability and usefulness of the reports. For example, all smart bulbs can be assigned to one user, all Alexa devices to another, as opposed to having 30 odd individual clientless users cluttering reports.

                  2 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                  • Device Access Profile - Fine Grained Options

                    I want to give some Admins permission to make certain changes in the firewall settings. The problem with Device access profiles is that there aren't enough detailed options to limit the admin from certain firewall rules.
                    It would be nice so that we can give permissions to edit certain firewall rules only and not all of them for certain admin users.

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                    • client software

                      Client Software should be configurable it can be change with the user company logo.
                      Logout out option should be present . Android client should be updated for all mobile hand set
                      It is now not able to install in my mobile handset
                      It should not ask for Client Authentication certificate for every handset and new users

                      2 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                      • client software

                        Client Software should be configurable it can be change with the user company logo.
                        Logout out option should be present . Android client should be updated for all mobile hand set
                        It is now not able to install in my mobile handset

                        3 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • sso
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                        • 4G connection stays connected eventhough is set to backup on the WAN link manager

                          If you can enhance the 4G feature on the XG that 4G connection stays connected eventhough is set to backup on the WAN link manager.
                          On the WWAN settings it should have like dial on demand and inactivity timeout that if ever no activity on the interface still show its connected. In the event of internet downtime it will failover immediately on the 4G connection without dialing before you can gain internet connections.

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • sso
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                          • Option to create a Blackhole route

                            Blackhole route will be used for vpn routes when vpn status is down will not be sent over default route.

                            5 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • sso
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                            • Disable default bridging

                              When setting up XG 17.5 for the first time, all unconfigured interfaces are bridged with LAN :-(

                              VERY annoying, because when you want to disable the bridge, you need to unbind one interface, assign a new ip on the unbinded interface and assign LAN zone to that interface. The you can switch port to the new interface and login to remove the bridge. NOT GOOD.

                              When bridge is needed, we can easily configure it, when doing it from port 1 ourselves ;)

                              3 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • sso
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                              • HA-Failover persistant Logging and Reporting

                                With every HA Failover the Logging and Reporting is cut - it seems that the Logging and Reporting Databases are not synchronized between the Active and Passive Node.

                                Please Sync the Logging and Reporting between two nodes.
                                Missing Log entries is crucial if you need to investigate security issues and you won't find entries for a given time cause you had a failover.

                                simple reproduceable Example:
                                schedule the "Weekly Executive Report" and do a Firmware Update or a reboot of the primary appliance in the middle of the week - you'll see only half of the report filled with Data.

                                4 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • sso
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                • Ability to add a trusted SSL certificate to the iView web admin

                                  Currently the iView web admin/dashboard comes with a certificate from a non-trusted CA (CyberoamApplianceCertificate). It's fine to add that as a trusted certificate internally but we would like to allow sub-contractors access from other locations, so the ability to import a trusted certificate would be great.

                                  3 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • sso
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Consistent backup file extension

                                    Currently the Backup files don't have a specific file extension, they use the following file format: Backup_SerialNumber_Date_hh.mm.ss where hh.mm.ss displays the time of backup creation. The seconds are interpreted as file extension of many virus scanners so they often get blocked and I'm unable to create an exception as I have to use 60 exceptions (00 - .59). It would be great to have a single file extension for backup files.

                                    3 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • sso
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                    • create firewall rule from logviewer

                                      When traffic in Logviewer is displayed, it would be nice to open a new firewall dialog prefilled with the information from the logentry.
                                      With a dropdown Box for already created objects for the selected ip or the possibility to create a new ip object.

                                      8 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • sso
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Routing table does not show IPSEC networks

                                        The CLI command 'route' does not show IPSEC networks.

                                        SFOS 17.5.0 GA

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • sso
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                        • OSFP Routing Precedence

                                          The 'static routes' option in the CLI command is not only static routes but OSPF routes aswell.

                                          It would be nice to rename this option in a future release since th routing precedence is changed aswel for Dynamic learned OSFP routes.

                                          console> system route_precedence set policyroute static vpn

                                          XG SFOS 17.5.0GA

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • sso
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 33 34
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.