XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
tls verification errors must be logged
As long as you open a https page via browser you may see that there is an ssl verification error and xg did block traffic.
as tls verification is also implemented in FTPS (Scan FTP for Malware) you wont get any message on fails, you just can imagine that traffic won't pass because of an tls error.
same if https is use by applications e.g. internal software updates
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Version 18 has a new SSL/TLS decryption engine that provides much more log informatino about success or failure of SSL/TLS connections
-
Disable default bridging
When setting up XG 17.5 for the first time, all unconfigured interfaces are bridged with LAN :-(
VERY annoying, because when you want to disable the bridge, you need to unbind one interface, assign a new ip on the unbinded interface and assign LAN zone to that interface. The you can switch port to the new interface and login to remove the bridge. NOT GOOD.
When bridge is needed, we can easily configure it, when doing it from port 1 ourselves ;)
11 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In version 18 setup wizard, you can configure individual interfaces so you don’t end up with a running configuration with all interfaces bridged.
-
Reporting: Virus Detection Email Alert
Please give us the option to automatically send an email alert to the admins, when a user visits a website that has a virus detection. I think this is the best way to get quickly imformed about an security incident. Not maybe a week later via reports.
13 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This functionality will be available in version 18 of SFOS.
-
Advanced NAT options for firewall rules
I have seen multiple forum posts about this and there's also some feature requests that all come down to the same issue: managing NATs kind of sucks on the XG!
On a user rule, the only thing we can do is masquerade. That's not always useful. There's no way to control DNAT and SNAT options in a good way. We don't have a proper way to set up a 1-to-1 NAT for a full network other than creating two business rules that are really not made for this purpose. It's completely unintuitive and not well designed.
The Network Address Translation…
9 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Version 18 is decoupling NAT from firewall rules and providing a lot more flexibility around NAT policies. Please try it out – I think it should resolve your use cases.
-
Edit a service object that is in use without removing it from rules
Ability to edit a service, like changing port numbers on a service, that is in use in multiple business rules. Currently you can't change udp from port 9000 to 9001 and it update in the business rules it applies to. You have to remove the business rules first to edit the service or create a new service. This is a much bigger process. As an Admin I want to click the service, edit change, done. We are not end users, were are admins.
5 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In version 18 this is not a problem. Business rules have gone away with the new NAT treatment, and you can modify service objects in use in Firewall rules and NAT rules.
-
DNat Rules By Schedule
You should enable the option to add a schedule to a rule DNAT
25 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In version 18, we have separated NAT rules from firewall rules. It will be possible to schedule DNAT traffic on or off by scheduling the corresponding firewall rule
-
NAT Policies can only be edited/created when Creating a FW Rule
In Cyberoam you had a separate section to create/edit NAT Policies. It looks like the only place is when you are creating the FW Rule itself.
You can not
* rename the NAT Policy
* delete a NAT Policy
It would be good if this was available in a section/tab (rather then hidden with a FW Rule)1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
NAT policies have been separated from Firewall rules in version 18.
-
Time base restriction on business application rules on XG firewall
Time base restriction on business application rules on XG firewall for external to internal traffic
6 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
With changes to Firewall rules planned in version 18, you will be able to schedule rules for inbound traffic as with any other firewall rules.
-
allow exclusions for certificate validation
for Web Protection it would be good to have the option to download / exclude certificates for certificate Validation (Block invalid certificates in General Settings).
the setting like we have in SWA is missing in XG: http://wsa.sophos.com/docs/wsa/webhelp/swa/tasks/ConfigGlobalPolCertValidAddFromWeb.html4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This will be possible in version 18.
-
Filter firewall rules by IP or Host or Group name
When a user clicks on the "Enable Filter" link on the Firewall page, the user should have an option to filter rules by IP address or Host object or Group object. It shouldn't be this difficult to find the rule I'm looking for in the UI.
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Version 18 adds better filtering for firewall rules in the Admin UI.
-
Nat on different Tab not on firewall rules
Nat on a different TAB, like SG version,
It will be great to use and categorize rules by selecting NAT SNAT,DNAT,1:1 NAT.1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Check out the version 18 EAP.
-
Backup File Encryption
Encryption of File, needed especially when emailing backups
4 votes -
Allow IPv6 address on VLAN interface
Currently unable to add an IPv6 address to a VLAN interface when the physical interface doesn't have an IPv6 address.
10 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is now possible, as of version 18
-
Quota Time in actions (Policy Web Protection)
add the option Surfing Quota in actions in the policies of the web protection as already exists in the UTM
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is coming in version 18.
-
Firewall rule group description can't be deleted
If you enter a description in a firewall rule it can't be deleted. Once you remove the description, save it and reload the page the description re-appears. This is a bug which is still present in 17.1 MR1.
1 vote -
Do we have the SNMP V3 Services in Sophos XG FW ?
I want to configure the SNMP V3 Services in FW but no option is there..
9 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Support for SNMPv3 is coming in version 18.
-
Zero Firewall Rule Traffic Counter
Very simple, have an option to zero the traffic counter on a firewall rule.
87 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This has been implemented in version 18 of SFOS.
-
custom SPX template HTML
Pls add a possibility to upload custom SPX templates as html files (like in UTM)
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
The configuration in version 18 is the same as UTM – you can paste in HTML to customize the recipient message.
-
Delete/Disable several Firewall rules at once
Not possible to delete or disable several rules at once.
9 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is possible in version 18.
-
Fix Windows Update Bug
Any chance of Sophos fixing the Windows Update bug sometime this century? Almost a year old now.
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
The domain login.live.com has been recategorized as Information Technology.
- Don't see your idea?