In default configuration without any workaround Port 80 and Port 443 is not block;
That behaviour is also there when you enable an explicit drop rule;

Instead of blocking the traffic the XG Firewall says on both web Ports "Hello I´m a Sophos XG Firewall". The behaviour is the Proxy function and It is there by design.
(The behaviour is also from outside)

Please add Microsoft Team Foundation application to Application Control.

Please reference my post here: https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/99012/defect-in-fw-log-entries---incorrect-source-macs-in-both-logviewer-and-syslog

Sophos XG's time based quota works on logon time and session. When a user logs on to a machine the session will start and the quota will be triggered.

If a user has granted web surfing Quota of Daily 1 hour Cyclic and he logons his PC at 9:00 hrs then his quota will expired at 10:00 hrs whether he has used Internet or not.

As per the support team this is not possible right now and suggested a feature request.

XG Firewall should accept ECC certificates

The ability to encrypt SYSLOG traffic would be very handy, this would need to be alongside a similar ability in iView so that there needn't be a VPN required to do the encryption for you when you have an offsite, central logging host.

Natting should be made simpler asit was in cyberoam before auto rule creation and port nating. doing this in XG os is a task and not at all user friendly

for any firewall that´s is used in a corporation, it must implement 1 to 1 subnet to a subnet NAT.
in fact allowing traffic in both sides.
for security is uses a firewall Policy.

As it was in UTM, NAT is a must in any circumstance. Administrators must have more flexibility to implement any type of NAT, they must not be tamed by the type that firewall forces them to use.

This was previously possible in UTM. Disappointing that I can't tweak this for performance since it uses predominantly UDP...and UDP fragmentation is a big problem in our world of oversold connections.

SD-WAN

On UTM we have the Web Category and Reputation override. This can help to add additional URL/Domains to proper category so even the reports match. On XG this is not possible. I guess this feature should not be so hard to implement. I really like the XG web section. Thanks

Request To Add the application Mobile Legends to be control under application filtering of Sophos UTM and XG

Customer is requesting to add the games mobile legends under Application Control on Sophos UTM and Sophos XG

Application: Mobile Legends
Publisher: https://www.mobilelegends.com/
Reason for request: This is Game is not filtered on Sophos SG and XG Application Control

Sandstorm will only scan HTTP on TCP 80 and HTTPS on TCP 433. The IPS/IPD system within the XG system should be proactive and understand when a HTTP/HTTPS transactions are happening and allow Sandstorm scanning.

We have many web servers within our DMZ and they can use non-standard TCP ports for their connections. This means a large percentage of files are not being processed by Sandstorm.

Goto Admin-GUI, Network -> DHCP -> Edit DHCP -> List "Edit static IP / MAC-Assignment".

The Input-Fields in the Columns for Hostname and IP-Adress are to small. If I enter the value 192.168.178.100 in the IP-Input-Box, an you see only the first 1 from 100, because the Text-Box truncates the value. IP-Adresses have a standard length, so please expand the input fields.
Right from the table is enought white space to make the table wider.

Please provide the option to enable/disable Safe search and youtube restricted mode per policy.

In schools we need the ability to enable/disable the safesearch and youtube restricted mode based on the policy for individual user groups rather than globally while at the same time as having web category filtering.

For example we would like to turn safesearch mode and youtube restricted mode off for certain staff groups but while maintaining the category filtering, where as students we want safesearch and the youtube restricted mode on at all time.

SSL tunnels are excellent for remote use as well as site-to-site, but XG currently is limited to only one of them functioning at any one time. this should be changed!

I'm running v17 and it seems real lite in the flexibility on how email notifications are delivered.

There should be an option to delivery to an MTA via Authenticated/Encrypted SMTP with just a username and password, who can use certificates with most providers? In UTM I simply gave it all of my account information along with the address and it worked beautifully!
Please bring that back!

It should be possible to give a name to an interface. I have over hundread VLAN interfaces configured for one of our customers and it is pain ********** to try to figure out that amount of VLANs without knowledge of their names.