XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Port 80 and Port 443 is not blocked by the firewall
In default configuration without any workaround Port 80 and Port 443 is not block;
That behaviour is also there when you enable an explicit drop rule;Instead of blocking the traffic the XG Firewall says on both web Ports "Hello I´m a Sophos XG Firewall". The behaviour is the Proxy function and It is there by design.
(The behaviour is also from outside)4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
With the new DPI mode in version 18, redirection to the proxy is now optional.
-
Add "Microsoft Team Foundation" to Application Control
Please add Microsoft Team Foundation application to Application Control.
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Microsoft Teams has been added to the application list.
-
1 vote
-
surfing quota
Sophos XG's time based quota works on logon time and session. When a user logs on to a machine the session will start and the quota will be triggered.
If a user has granted web surfing Quota of Daily 1 hour Cyclic and he logons his PC at 9:00 hrs then his quota will expired at 10:00 hrs whether he has used Internet or not.
As per the support team this is not possible right now and suggested a feature request.
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In version 18, we have introduced time quotas in web policy. These can be consumed in 10 minute chunks as the user needs them during the day.
-
ECC certificates
XG Firewall should accept ECC certificates
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This feature was added in version 17.5 and will be enhanced in version 18.
-
make firewall rule interface user friendly (Cyberoam like)
Please take a look at the development of the firewall rules interface.
This is far from being great and user friendly.Do like the cyberoam interface, automatically group rules by source zone & destination zone. I know you've created "groups" to do this but this is not sufficient at all.. (Already moving rules over an hour to different groups, firewall with 100 rules and 8 zones)
Despite above, also make your groups user friendly.
Bulk actions to move rules to group, the "add to group list" is not ordered A-ZBut I'm really hoping you take a look at the…
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have improved the FIrewall Rule grouping up to and including v18. If there are still specific suggestions for improvements, please resubmit as new items.
-
TLS (SSL) Encrypting remote syslog
The ability to encrypt SYSLOG traffic would be very handy, this would need to be alongside a similar ability in iView so that there needn't be a VPN required to do the encryption for you when you have an offsite, central logging host.
8 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is now possible. Select “Secure log transmission” when configuring your Syslog server.
-
Natting should be made simpler
Natting should be made simpler asit was in cyberoam before auto rule creation and port nating. doing this in XG os is a task and not at all user friendly
8 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have overhauled NAT in version 18. If you have more suggestions after seeing the new version, please submit them with plenty of details.
-
1 to 1 Subneted NAT
for any firewall that´s is used in a corporation, it must implement 1 to 1 subnet to a subnet NAT.
in fact allowing traffic in both sides.
for security is uses a firewall Policy.As it was in UTM, NAT is a must in any circumstance. Administrators must have more flexibility to implement any type of NAT, they must not be tamed by the type that firewall forces them to use.
7 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Big improvements to NAT are coming in version 18. Check out the EAP to see it before it is released in early 2020.
-
Allow me to change the MTU/MSS of RED Devices
This was previously possible in UTM. Disappointing that I can't tweak this for performance since it uses predominantly UDP...and UDP fragmentation is a big problem in our world of oversold connections.
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This will be possible in version 18 of SFOS.
To get early access to version 18, check this page: https://events.sophos.com/v18eap
-
SD-WAN
SD-WAN
186 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We are adding a range of SD-WAN features in version 18.
You can get early access to it here: https://events.sophos.com/v18eap
-
Web Category and Reputation Override like UTM
On UTM we have the Web Category and Reputation override. This can help to add additional URL/Domains to proper category so even the reports match. On XG this is not possible. I guess this feature should not be so hard to implement. I really like the XG web section. Thanks
35 votesweb policy overrides were added in v17.5,
-
Display "allowed client networks" on firewall nat/business policy and UI improvements
Hello,
at the moment if you have a NAT rule in place for example 3389 to an internal server and you restrict the rule to a specific IP list. in the main firewall view you cannot see that the rule has any source restrictions unless you go into the rule.
this can take 1 minute task of checking all your rules for security polices and make it a 1 hour task.
it would be great if the firewall page used the entire screen and displayed more information for each rule so you never have to go into a rule to…
47 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Changes in version 18, including the separating out of NAT policies from firewall rules, should solve this issue.
-
Request To Add the application Mobile Legends to be availablel under application filtering of Sophos UTM and XG
Request To Add the application Mobile Legends to be control under application filtering of Sophos UTM and XG
Customer is requesting to add the games mobile legends under Application Control on Sophos UTM and Sophos XG
Application: Mobile Legends
Publisher: https://www.mobilelegends.com/
Reason for request: This is Game is not filtered on Sophos SG and XG Application Control2 votes -
Sandstorm / IPS scanning
Sandstorm will only scan HTTP on TCP 80 and HTTPS on TCP 433. The IPS/IPD system within the XG system should be proactive and understand when a HTTP/HTTPS transactions are happening and allow Sandstorm scanning.
We have many web servers within our DMZ and they can use non-standard TCP ports for their connections. This means a large percentage of files are not being processed by Sandstorm.
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
The new DPI filtering functionality in version 18 can scan HTTP and HTTPS on any port.
-
DHCP
Goto Admin-GUI, Network -> DHCP -> Edit DHCP -> List "Edit static IP / MAC-Assignment".
The Input-Fields in the Columns for Hostname and IP-Adress are to small. If I enter the value 192.168.178.100 in the IP-Input-Box, an you see only the first 1 from 100, because the Text-Box truncates the value. IP-Adresses have a standard length, so please expand the input fields.
Right from the table is enought white space to make the table wider.10 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is improved in recent versions.
-
Per-policy control for SafeSearch
Please provide the option to enable/disable Safe search and youtube restricted mode per policy.
In schools we need the ability to enable/disable the safesearch and youtube restricted mode based on the policy for individual user groups rather than globally while at the same time as having web category filtering.
For example we would like to turn safesearch mode and youtube restricted mode off for certain staff groups but while maintaining the category filtering, where as students we want safesearch and the youtube restricted mode on at all time.
88 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This was delivered in version 17.5
-
Allow SSL site to site and Remote access simultaneous
SSL tunnels are excellent for remote use as well as site-to-site, but XG currently is limited to only one of them functioning at any one time. this should be changed!
4 votes -
Email Notification Delivery Flexibility & Encryption
I'm running v17 and it seems real lite in the flexibility on how email notifications are delivered.
There should be an option to delivery to an MTA via Authenticated/Encrypted SMTP with just a username and password, who can use certificates with most providers? In UTM I simply gave it all of my account information along with the address and it worked beautifully!
Please bring that back!5 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
You can set up an authenticated SMTP connection for delivering system notifications.
-
Give name for interface
It should be possible to give a name to an interface. I have over hundread VLAN interfaces configured for one of our customers and it is pain ********** to try to figure out that amount of VLANs without knowledge of their names.
79 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This functionality is coming with SFOS version 18.
For information on the early access program for v18, read this: https://events.sophos.com/v18eap
- Don't see your idea?