XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow wildcard subdomains in Firewall rules

    Firewall packet filtering based on wildcard subdomains and reverse DNS resolution.

    We would like to allow/deny connections based on a wildcard subdomain (think *.example.com). Only way to do that is to reverse DNS the destination IP and allow/deny based on the wildcard rule?
    Although there is the common possibility that the reverse DNS is not the same as the A or CNAME record requested, so I'm not sure how useful that would be.

    But, we would really appreciate the ability to filter based on wildcard subdomains.. like *.update.microsoft.com. See:
    https://technet.microsoft.com/en-us/library/bb693717.aspx

    93 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Request To Add the application Mobile Legends to be availablel under application filtering of Sophos UTM and XG

    Request To Add the application Mobile Legends to be control under application filtering of Sophos UTM and XG

    Customer is requesting to add the games mobile legends under Application Control on Sophos UTM and Sophos XG

    Application: Mobile Legends
    Publisher: https://www.mobilelegends.com/
    Reason for request: This is Game is not filtered on Sophos SG and XG Application Control

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Application Detection Requests  ·  Flag idea as inappropriate…  ·  Admin →
  3. XG Client for Chromebooks

    It would be really nice to have a chrome extension for the XG firewall to identify a Chrome user using a Chromebook. This way we could identify user or Group to use certain rule sets. This would also be great reporting purposes.

    20 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. Disable web caching by default on XG firewalls

    Nowadays it is very rare to use web caching given the speeds/bandwidth of todays networks. This feature is on by default on the XG firewall - most products no matter the vendor has this option disabled.

    Caching often causes issues more issues than benefits and can often break webpages and is something overlooked.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add support for 64bit SNMP

    Currently sophos supports only 32bit SNMP MIB and unable to provide reading on interface which is more than 150Mbps.
    Currently the UTM 9 is supports 64bit SNMP.
    Urgently need this to be available as most of my customer are running Gigabit networks now.

    72 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. 38 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add Namecheap DynDNS Provider

    Please add Namecheap to Dynamic DNS providers list. It is supported in UTM but not in XG.

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Dynamic DNS Providers  ·  Flag idea as inappropriate…  ·  Admin →
  8. Negate Objects in the Firewall Policy

    In the Firewall Policies, I miss a feature to negate an object inside a rule.

    So for example I could define in a single rule: Whole of Zone LAN is allowed as destination, but not the objext "Server xy"...
    Or Any Service is allowed, but not SQL

    In the policy change view, I have two action-icons: One for editing and one for removing it. A third Icon of negating would make the UI-part (and the object then could be seen as striked through or similar...).

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Include Invincea's Deep Learning Engine (Machine Learning) on the UTM

    Since Sophos has purchased Invincea, I am requesting that Sophos included Invincea's pre-execution Deep Learning Engine (Machine Learning) on the UTM itself.

    Now that Sophos has acquired Invincea and their scanner's ability to detect new malware before it executes, if the scanner was included on the UTM, it could increase the detection of unknown malicious files before they execute.

    With the combination of Sophos' database of known safe files which it could check files against, Sophos could avoid the problem of false positives from Machine Learning detection.

    I am requesting that Sophos add this Machine Learning layer to the UTM…

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

    In version 18 we are leveraging Deep Learning capabilities in Sophos’s cloud-based analysis platform. When we send a suspect file to be scanned with Sandstorm, samples will also be checked with Deep Learning AI models. Deep Learning is also embedded into the sandbox environment and is used extensively during sample detonation. Version 18 will also provide new in-depth analysis reports that use aspects of machine learning to show how suspect items relate to other known good or bad files.

  10. Multiple parameters filter options in Firewall Rules like Source IP, Destination IP, Port and multiple rules IDs selected at once.

    Multiple parameters filter options in Firewall Rules like Source IP, Destination IP, Port and multiple rules IDs selected at once.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  11. dns group

    On Sophos SG you can create a definition for a "DNS Group", which is a really useful feature when needing to define multiple IPs for firewall rules, device access and so. It would be nice to have this on XG.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. Adjustable HA Monitored Interfaces

    Make it possible to add or remove a monitored port from the HA configuration. At the moment we need to rebuild the HA Cluster for simply adding a new interface to it.

    62 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. Change SSL VPN Port

    Right now it is not possible to change the SSL VPN Port by GUI. Port 8443 is used by default. Please add the possibility to change, because Port 8443 is not allowed in many networks.

    411 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  41 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Smtp malware scanning support with user / network policy

    Smtp malware scanning support with add user/network policy

    Not scan smtp malware with user / network policy.
    I want this function to be supported

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Update Maxmind GeoIP Database

    Would be great to be able to update the GeoIP Database used for country based firewall policies.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Zero-config HA

    Clustering UTM is very easy. Now you have to assing an IP to the ***** XG and create the cluster. UTM clustering technology is the simplest one I never seen. The other thing is the DMZ zone to be used when you need to create the cluster. A dedicated zone should be available (maybe HA?). Also a second interface is missing as an alternate interface.

    163 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. Disable Columns for syslog

    When I send the logs to syslog-server, I get all the columns into the log.

    Since I don't use some functions, which generate only columns with empty values, I would prefer, beeing able to disable some columns, so they are not been sent to syslog at all: Logfile would be much more readable - thank you!

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  18. Rename/Comment Physical Interface objects

    It should be allowed to change the name of Physical Interface objects from default PORTx name to custom one.
    Also, comment attribute/field should be added for additional description (like it was available in UTM9).

    420 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →

    The ability to rename interface objects will be delivered in version 18 of SFOS. We will not be adding comments at this time.

    If comment/description field is important to you, support this item, which is specifically about providing comments fields more generally across the board: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/38328700-more-objects-should-have-note-fields

    For information on how to get early access to version 18, go here: https://events.sophos.com/v18eap

  19. Secure Backups [UTM -> XG Feature Gap]

    There is currently no method of securely automating the config backup on the XG Firewall but this is possible on the UTM.

    The product should offer the option of password protected backup files to be sent via email. In addition adding support for Secure FTP with customisable port would also be a great addition.

    58 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. Improve Logging

    At the moment understand what's going on is very HARD. Live logs are missing and notepad on every section is missing.
    Add live log and allow admins to configure itself coloured live logs (globally or on single windows?). In this way logs have different level of importance and Admins can better understand if they need to worry about or not. For example allows Admins to set red for high-risk/denied traffic/system error, yellow for warning/natted/or whatever and so on.
    I really love the live log on Firewall section of UTM9 where reading what's happen is very very easy.

    440 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    29 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →

    We have released significant improvements to logging since this idea was first posted.

    There are certainly still more things we could do.

    I’m closing this item in the hope that users will post some more specific and detailed ideas for where to go next, with good examples of use cases/value provided. There are also many interesting ideas already posted that you could support or contribute to.

  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.