XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Advanced NAT options for firewall rules

    I have seen multiple forum posts about this and there's also some feature requests that all come down to the same issue: managing NATs kind of sucks on the XG!

    On a user rule, the only thing we can do is masquerade. That's not always useful. There's no way to control DNAT and SNAT options in a good way. We don't have a proper way to set up a 1-to-1 NAT for a full network other than creating two business rules that are really not made for this purpose. It's completely unintuitive and not well designed.

    The Network Address Translation…

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Harmonize log format

    Current log format has key=value pairs, which are easy to manage in certain centralized logging solutions. However, some of these values contains quotation marks " and some does not. As there are several longer values, a quotation mark is reasonable and thus every value should have quotation marks.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. Quota on Web

    The administrator must able to reset the Quota for a user.
    This option was working fine on the UTM but is not available in the XG.

    The Quota is only good working wen I can set Quota on a user activities group.
    And in this group are categories.
    And a user can be in different groups on the XG.

    So you have a group whit free internet for work and a group whit Quota internet for pause or fun.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Per-policy control for SafeSearch

    Please provide the option to enable/disable Safe search and youtube restricted mode per policy.

    In schools we need the ability to enable/disable the safesearch and youtube restricted mode based on the policy for individual user groups rather than globally while at the same time as having web category filtering.

    For example we would like to turn safesearch mode and youtube restricted mode off for certain staff groups but while maintaining the category filtering, where as students we want safesearch and the youtube restricted mode on at all time.

    88 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. tls verification errors must be logged

    As long as you open a https page via browser you may see that there is an ssl verification error and xg did block traffic.

    as tls verification is also implemented in FTPS (Scan FTP for Malware) you wont get any message on fails, you just can imagine that traffic won't pass because of an tls error.

    same if https is use by applications e.g. internal software updates

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Display "allowed client networks" on firewall nat/business policy and UI improvements

    Hello,

    at the moment if you have a NAT rule in place for example 3389 to an internal server and you restrict the rule to a specific IP list. in the main firewall view you cannot see that the rule has any source restrictions unless you go into the rule.

    this can take 1 minute task of checking all your rules for security polices and make it a 1 hour task.

    it would be great if the firewall page used the entire screen and displayed more information for each rule so you never have to go into a rule to…

    47 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. Separating “YouTube Restricted Mode” from "Enable SafeSearch" feature

    Separating YouTube "Restricted Mode" from "Enforce Safe Search" option in XG Firewall would allow much more flexibility for customers.
    YouTube "Restricted Mode" is currently just too “restricted” (not usable) and customers should have possibility to turn it on or off without impact on SafeSearch.
    On the other side, SafeSearch is very useful feature that customers would probably have always on.

    97 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Time base restriction on business application rules on XG firewall

    Time base restriction on business application rules on XG firewall for external to internal traffic

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  9. Give name for interface

    It should be possible to give a name to an interface. I have over hundread VLAN interfaces configured for one of our customers and it is pain ********** to try to figure out that amount of VLANs without knowledge of their names.

    79 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow IPv6 address on VLAN interface

    Currently unable to add an IPv6 address to a VLAN interface when the physical interface doesn't have an IPv6 address.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  11. Web Category and Reputation Override like UTM

    On UTM we have the Web Category and Reputation override. This can help to add additional URL/Domains to proper category so even the reports match. On XG this is not possible. I guess this feature should not be so hard to implement. I really like the XG web section. Thanks

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Edit a service object that is in use without removing it from rules

    Ability to edit a service, like changing port numbers on a service, that is in use in multiple business rules. Currently you can't change udp from port 9000 to 9001 and it update in the business rules it applies to. You have to remove the business rules first to edit the service or create a new service. This is a much bigger process. As an Admin I want to click the service, edit change, done. We are not end users, were are admins.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. Inside activation Firewall Rule

    If a Firewall Rule (User/Network Based) is disabled, it would be nice to have the option to activate it inside of rule configuration aswell.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Please has all Public IP vs Internal IP NAT IP information in tabular format,

    Hi Team- could you please has all Public IP vs Internal IP NAT IP information in tabular format,every time i would need to check every NAT/Business rule .

    This is frustrating and time consuming process and has chances of wrong assessment.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. allow exclusions for certificate validation

    for Web Protection it would be good to have the option to download / exclude certificates for certificate Validation (Block invalid certificates in General Settings).
    the setting like we have in SWA is missing in XG: http://wsa.sophos.com/docs/wsa/webhelp/swa/tasks/ConfigGlobalPolCertValidAddFromWeb.html

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Delete/Disable several Firewall rules at once

    Not possible to delete or disable several rules at once.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. Reflexive feature for Lan-Lan rule creation supposed to be there in Sophos Firewall as like cyberoam

    As I recently noticed while creating Business rule to forward port that if we select "create reflexive rule" it doesn't create rule for Lan-Lan access as cyberoam does have that.

    So request you to kindly add this feature in future upgrade. it helps to optimize time and have clarity for the same.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. MTU sizes above 1500

    Allow the XG to increase the MTU size above 1500. Sophos SG has this capability. Our ISP requires setting MTU higher than 1500 MTU. What happens when we need to support jumbo frames on our LAGs?

    56 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  19. Backup File Encryption

    Encryption of File, needed especially when emailing backups

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. Authentication: Configurable RADIUS timeout

    Repost from the UTM ideas board. This needs to be in XG as well. As it stands, if a Radius policy requires an MFA action, the login process does not wait long enough for users to respond. Because we have no control of the timeout during login for the admin portal, user portal, and SSL VPN, it renders Radius based MFA useless. This in turn makes XG and UTM an impossible sell for clients that mandate the use of MFA, which is increasingly in demand. Help us help you Sophos!

    71 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.