XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. WAF Source Filter by FQDN

    Currently WAF rules can only have their source filtered by IP or by Network, while regular DNAT rules can be filtered by IP, IP Range, IP List, MAC Address, MAC List, Host Group, Network, FQDN Host, FQDN Host Group, or Country Group.

    I'd like the functionality of the WAF source filter to be expanded to have the same capabilities as a full DNAT rule.

    I'm specifically after the FQDN host so we can filter and use DynDNS hostnames but the other things would be handy as welll

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support for Industrial Control and Automation Protocols (SCADA) in DPI / IDS

    Idea originally posted by TheMachineWhisperer in 2018 but never responded to by Sophos.

    Security for industrial automation, critical infrastructure, and SCADA systems is very much a critical issue.

    We would like to see some development to include capability for Deep Packet Inspection and control of industrial control protocols such as:

    Modbus TCP
    Ethernet/IP (CIP)
    OPC Classic (DCOM / RPC)
    Siemens S7
    DNP3
    etc.

    Inclusion of rules for these into IDS and would also be welcomed.

    A number of vendors approaching us are starting to get into this specialist area of the market and it would be great to see Sophos…

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable/Disable SSL/TLS inspection per firewall rule

    In v18 of SFOS of my XG firewall, SSL/TLS inspection is a global on/off setting. I would like to be able to control the use of SSL/TLS inspection per rule instead of globally.

    I have an old copier trying to send secure emails and the inspection engine is erroring out with a timeout error. There is no way to make an exception for this. If could just create a new firewall rule so this copier could send out emails would be great while leaving SSL/TLS inspection enabled for all the other rules. v17 everything worked fine.

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Please add back the Drop Silently feature

    Port 80 and Port 443 can’t be silently dropped by the firewall & logs incorrectly report traffic as “Accepted.” Even traffic that is "Dropped" gets a response form the firewall.

    Firstly this is nonsensical. After weeks of back and forth Sophos support told us this is the intended behavior. Sadly this behavior makes the log files misrepresent the action taken, all traffic that get a "Drop" action shows as "Accept" in the logs.

    Secondly it removes the first layer of protection. Normally we use "Drop" to silently hide from unwanted traffic and potential attackers, this "new feature" Sophos added eliminates…

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. make live changes on service rule to enable port forwarding

    allow making editable the services rule in hosts & services option while the rule is live.

    As if the site is live and we want to allow a new port on the server then we have to take it down first from the firewall rule then need to go to the services option and then it will allow us to change after that we are able to add the new port in rule

    It's not proper way if we want to take down our live site for a few min it will bad impression on business

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Netflow data over IPsec VPN

    Netflow data can travel on Ipsec vpn.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. firewall rules audit

    We are using XG115 firewall. Cybersecurity Auditor raised following queries.
    1) operator can see all the firewalls rules. there is no option to assign selected firewall rules to the operators. Alot of profile limitation.
    2) 4 eyes is not available whenever changes are done in the firewall.
    3) Mac address fails to work because of router and switches of layer 2/3 in between the network inspite of putting static mac address on the switch it still failed to work.

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. country ipv6 lists

    Need to have Ip2country for IPv6 based hosts and IPv6 addresses per country. Also be able to list of networks in IP object like IPlist.

    15 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Utilize the weight value for WAN failover order of priority to become active

    Hello Team,

    We have customer here requesting to Utilize the weight value for WAN failover order of priority to become active. For your assistance please. Thank You

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Utilize  the weight value for WAN failover order of priority

    Hello Team,

    We have customer here requesting to Utilize  the weight value for WAN failover order of priority. For your assistance please. Thank You

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. change vlan base

    Please make it possible to move existing VLANs to another base interface without the need of deleting/reconfiguring. Almost every other manufacturer allows that and it really helps when we have to temporarily build a network on ports other than the ones that will be used in the end.

    23 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Firewall rule locks

    Using Sophos XG 18.01 , had a recent issue where a LAN>>LAN rule was deleted automatically when a RED device interface was removed from the XG.

    It would be great, if "Tags" or "Locks" could be applied to Firewall rules, that either stops these rules from being deleted, or alternatively prompts for login credentials or a warning before the rule is deleted.

    8 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. AUTOMATIC VISIBLE DEFAULT DENY FIREWALL RULES FROM ZONE TO ZONE

    When a Network zone is added, firewall rules shoud be created with a specific "view" of zone to zone rules to help administrators to maintain firewall rules and add specific accept rules in the correct "view" of zone to zone scope by copying the default deny zone to zone rule and position with the good sequence number after verification to avoid traffic dismissing

    3 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. flowspec alert DDOS to routing subsystems from IDS

    When DDOS attack is detected, a web page should authorize the admin to send after validation
    a BGP FLOWSPEC message with preformated tupples acl to upstream routers with network traffic limitation or drop
    just to load balance the security defense between routers and the target or intermediary firewall

    3 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. L7, APPLICATION, AAA, self sourced firewall traffic

    self sourced traffic of the firewall services should be defined on a specific "micro service" address type loopback to simplify acl special security in the menu "system" "administration""device access" even if this special menu is greatfull

    4 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. route map for route redistribution control between protocols

    route maps with acl defined subnets, interfaces, next hop should be usefull to mitigate routing table hijacking propagation inside severals IGPs and BGP

    "Should be used in conjonction with network namespace and vrf lite"

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. network namespaces or vrf lite

    network namespaces or vrf lite are a way to mitigate the internal private routing tables exposition to external public routing table when there is no way to build a multi level firewall architecture

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Filter Option not available in under Intrusion prevention-Spoof protection trusted MAC and its very difficult to change MAC or IP

    Please provide this option urgently in XG430 because its very difficult to find MAC or IP. I was used Cyberoam before and this option available and its very easy to use. After upgrading Cyberoam CR750ing to sophos its very difficult. Thanks for Understanding.

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. sophos xg firewall dashboard icon for vpn color should not br red once one tunnel is working

    sophos xg firewall dashboard icon for vpn color should not be red once one tunnel is working
    it should be yellow with triangle icon and down you can mark 1out of 2 is down

    1 vote
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. manage TLD / ccTLD DNS lookup results in XG DNS

    Currently, blocking or redirecting TLD / ccTLD (https://icannwiki.org/Countrycodetop-level_domain) dns lookups for clients using XG dns requires configuring dns request routes for each one to send those lookups to an external Microsoft or other dns server populated with fake TLD / ccTLD zones and wildcard records. It would be simpler to be able to control lookup results within XG without having to route to an external server.
    This request was similar but applied only to web http traffic rather than the dns level to address all protocols: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31267192-block-tld

    2 votes
    Sign in Sign in with: Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 12 13
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.