XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
User Disconnect Facility Provide the User Access Portal
It is submitted that the user provide the facility of disconnect the live user himself by their User Access Portal that. Right now their are 2 facility is available in the firewall to disconnect the user (1 is by the Firewall Admin> Current Activities> Live Users> Disconnect & 2 is user login the same pc and logout himself. User needs to extra facility to disconnect himself from any PC by the User Access Portal.
1 vote -
User Disconnect Facility Provide the User Access Portal
It is submitted that the user provide the facility of disconnect the live user himself by their User Access Portal that. Right now their are 2 facility is available in the firewall to disconnect the user (1 is by the Firewall Admin> Current Activities> Live Users> Disconnect & 2 is user login the same pc and logout himself. User needs to extra facility to disconnect himself from any PC by the User Access Portal.
0 votes -
Surfing quota should not apply to SSL VPN login when SSL VPN is not used as a default gateway
Based on case 03497881, Sophos doesn't think that having the surfing quota tied to the SSL VPN function is a bug even when SSL VPN is not used as the default Internet gateway. This should be changed so customers do not need to create separate user IDs for LAN usage and for SSL VPN login.
1 vote -
Radius on Sophos XG Firewall should forward the IPv4 Attribute to MFA solution.
Radius connection from Sophos XG Firewall dosn't forward the IPv4 Attribute to our MFA system (test with other firewalls vendos do that)
We are using the RADIUS Attribute CALLING-STATION-ID (31) in our ENTRUST MFA solution.
In our setup users authendicate through RADIUS when connecting with remote VPN (Sophos Connect) - we can see the remote IP of the user in the firewall so the XG know it - but the IP not forwarded to the MFA solution
The IP is uses e.g. for risk management settings.
2 votes -
Authentication: UUID instead of MAC address for binding
Sophos XG supports MAC binding for user authentication.
This is a feature used e.g. SSL VPN connections to identify devices.
Mobile devices with Android or iOS as operating system do not support sending the MAC, but instead the UUID.
Therefore I request adding this feature so we can identify corporate devices by UUID.1 vote -
User Portal MFA
If you try to log in to the user portal with MFA enabled, the login form needs to display either another text box to insert the MFA code or a message stating that a MFA code needs to be appended to the password.
The current login form causes a lot of helpdesk calls because they don't realize ( or keep forgetting) that their MFA code needs to be inserted after their password.
1 vote -
SSL VPN MFA
With a SSL VPN client with MFA enabled, the login form needs to display either another text box to insert the MFA code or a message stating that a MFA code needs to be appended to the password.
The current login form is rather crude and causes a lot of helpdesk calls because they don't realize ( or keep forgetting) that their MFA code needs to be inserted after their password.
An upgraded form with logo that looks more professional would be my preference please.7 votes -
Bugs in Authentication Agent for macOS
When OTP (one-time password) is enabled for User Portal it causes the Client Authentication Agent for macOS to not work UNLESS the user enters their username and password PLUS their OTP token.
I have tested and confirmed this with Sophos support.
Enabling OTP for the User Portal should have NOTHING to do with the Authentication Agent for macOS. Furthermore the Authenticator agent should never require a OTP. Otherwise the poor user will need to re-enter his or her credentials every time their Mac is rebooted.Second bug: There is an on-going display issue with the Authentication Agent for macOS. The…
2 votes -
Need " Force change default password at first logon and expiry policy " in XG Firewall
We need to change default user password at first login and expiry policy or other easy way to change user password by themsalves.
1 vote -
connect user portal
Even if LDAP server authentication is configured, Sophos Connect users have to login to User Portal one time before connect thru VPN.
Connect's Users must be can connect without doing login to user portal before.Regards
1 vote -
Prevent Authentication Requests from Computer Accounts
We are seeing issues with NTLM/Kerberos authentication where the device name is authenticating with Sophos XG vs the user. It seems to be that some Microsoft services are causing this and it is causing blocked web access.
Ideally, it would be nice to see an option made available where you can filter out or prevent Sophos from Authenticating computer objects/devices in AD, and only to authenticate user objects.
1 vote -
SSL VPN Public Key Authenication.
Allow Public Key authenication method for XG SSL VPN clients. It would also be a bonus if keypairs could be generated within the GUI rahter than CLI.
1 vote -
Request to have much more user friendly two factor authentication for Sophos Connect 2.0
Hello Team,
We have a customer here requesting to have much more user friendly two factor authentication for Sophos Connect 2.0. The current 2FA on XG like appending a 6-digit code to a password to gain access is not user friendly. Requesting if possible for sophos XG to support a third party 2FA that is much more easy to use and no need to enter the token or one time password.
For your assistance please.
Thank You
4 votes -
Require local user password criteria to be defined
Administrators should be able to require users passwords to meet certain password criteria/complexity, Character length, Case, numeric, special characters.
2 votes -
Password Age and Password History Feature Add to Password Complexity
It will be a good value add for the purposes of PCI-DSS audits, that the firewall should have in its local authentication mechanism (if the customer opts to use this option as against offloading to a dedicated IAM) for administrators and end users, a password age, and Password History feature.
Password Age will ensure that the administrator can set how old a user's password or admin password can stay in the system unchanged before it begins to remind the users and admin to change their password. It can be 30 days, 45 days, 60 days, or as flexible for the…
1 vote -
Multi factor authentication to be integrated on active directory
Hello Team,
We have customer requesting here to implement Multi factor authentication to be integrated on active directory as they will be needing different level of security between their SSL VPN users. For your assistance please.
Thank You
7 votes -
current Activities>Live Users
Please Provide the MAC Address also in Current Activities>Live Users
3 votes -
Radius Server supply UserGroup from AD
Let the Radius Server supply a Groupname for different Firewall Rules
4 votes -
802.1x
XG already has 802.1x for AP authentications, but it can't be used as a client. Many ISP's (specifically AT&T) use 802.1x client on their supplied CPE with priority vlan 0 tagging to authenticate.
UTM can replace the vendor-supplied CPE by adding a wpa_supplicant, but you don't have the kernel-level control on XG as you do on UTM. Sophos would have to add this feature to XG.4 votes -
Google Admin Domain Added to Authentication Servers
I have XG330 box, user accounts available in google admin mail domain, I want to use the gmail accounts for authentication purpose. How can I add the Server Authentication to google domain?
2 votes
- Don't see your idea?