XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Static Mapping window size

    Static Mapping size seems to be just too small to see the last octe in most IPs. 192.168.60.200 shows the 2 and half of a 0. If space is at a premium, MAC Address seems like it could spare some length...

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. Disable Columns for syslog

    When I send the logs to syslog-server, I get all the columns into the log.

    Since I don't use some functions, which generate only columns with empty values, I would prefer, beeing able to disable some columns, so they are not been sent to syslog at all: Logfile would be much more readable - thank you!

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  3. Negate Objects in the Firewall Policy

    In the Firewall Policies, I miss a feature to negate an object inside a rule.

    So for example I could define in a single rule: Whole of Zone LAN is allowed as destination, but not the objext "Server xy"...
    Or Any Service is allowed, but not SQL

    In the policy change view, I have two action-icons: One for editing and one for removing it. A third Icon of negating would make the UI-part (and the object then could be seen as striked through or similar...).

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. XG Client for Chromebooks

    It would be really nice to have a chrome extension for the XG firewall to identify a Chrome user using a Chromebook. This way we could identify user or Group to use certain rule sets. This would also be great reporting purposes.

    20 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  5. Smtp malware scanning support with user / network policy

    Smtp malware scanning support with add user/network policy

    Not scan smtp malware with user / network policy.
    I want this function to be supported

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Application Specific Signature for Ring Central

    There is no Application Specific Signature for Ring Central, which means we can't apply Application-based Traffic Shaping Policy for it.

    Please add Ring Central as a defined Application.

    See below:
    https://community.ringcentral.com/ringcentral/topics/how-do-i-troubleshooting-call-quality-issues-qos
    https://www.ringcentral.com/support/qos-router.html?_ga=1.41909153.2038724511.1480961611

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Detection Requests  ·  Flag idea as inappropriate…  ·  Admin →
  7. Transparent Subnet Configuration

    It would be great if Sophos XG would allow you to created a transparent interface like SonicWall does. https://support.sonicwall.com/kb/sw5979. Sophos currently only supports using a bridge interface or proxy ARP to achieve this which is not as easy or clean as SonicWall's method.

    https://community.sophos.com/kb/en-us/123524
    https://community.sophos.com/kb/en-us/123525

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. increase the limiation of maximum thinclient

    Please increase the limitation of 64 maximum thinclients, as some customer has more than 64 Citrix servers.
    256 would be a good number.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add option for hostname in quarantine digest report

    Option to use a hostname for quarantine digest report instead of ip address like it has now.

    43 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Include Invincea's Deep Learning Engine (Machine Learning) on the UTM

    Since Sophos has purchased Invincea, I am requesting that Sophos included Invincea's pre-execution Deep Learning Engine (Machine Learning) on the UTM itself.

    Now that Sophos has acquired Invincea and their scanner's ability to detect new malware before it executes, if the scanner was included on the UTM, it could increase the detection of unknown malicious files before they execute.

    With the combination of Sophos' database of known safe files which it could check files against, Sophos could avoid the problem of false positives from Machine Learning detection.

    I am requesting that Sophos add this Machine Learning layer to the UTM…

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

    In version 18 we are leveraging Deep Learning capabilities in Sophos’s cloud-based analysis platform. When we send a suspect file to be scanned with Sandstorm, samples will also be checked with Deep Learning AI models. Deep Learning is also embedded into the sandbox environment and is used extensively during sample detonation. Version 18 will also provide new in-depth analysis reports that use aspects of machine learning to show how suspect items relate to other known good or bad files.

  11. dns group

    On Sophos SG you can create a definition for a "DNS Group", which is a really useful feature when needing to define multiple IPs for firewall rules, device access and so. It would be nice to have this on XG.

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. Remove support for TLS v1.0 and Insecure Cyphers or Allow them to be disabled

    The XG still supports protocols that are insecure and fail PCI compliance scans. These protocols such as TLS v1.0, 64-bit block ciphers, etc should be able to be disabled through at a minimum the CLI and preferably the UI.

    71 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  7 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Hotspot functionality to support VLAN and custom zone

    The hotspot functionality doesn't show an option to choose VLAN with custom zone. It does show a physical interface with custom zone and a VLAN with LAN/DMZ zone. However it does not show a VLAN that is custom zone, even if the zone is type LAN or DMZ. An example would be two networks that share the same interface: BYOD (physical) and Guest (VLAN). BYOD can be used with a custom zone, but Guest cannot.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support SNMPv3 on the XG

    Submitting on behalf of client:
    Currently the XG only supports v1 and v2 for SNMP client hoping we can support v3 as well as it is a requirement needed for his environment.

    63 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  15. Load Backup instead Basic Setup

    Could be a good option if when perform the initial wizard setup, instead need to config Basic Settings you can load a previously taken Backup. This could be useful when you have just flashed the device.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Update Maxmind GeoIP Database

    Would be great to be able to update the GeoIP Database used for country based firewall policies.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow modification to HTTP timeout value

    We use an http service that lets you download a dynamically rendered PDF specific to our site. Unfortunately, XG 16.0.5 does not let you change the timeout value for an http response, and the PDF takes about 67 seconds to render, and the XG times out the connection before it has a chance to download. Reaching the site directly via cell phone or other firewalls allows the https server enough time to deliver the PDF, but not through the XG. Support rep confirmed there are no console commands to change this behavior, please refer to case number 6855875.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

    This was added in v17.0 of XG Firewall.

    To change the response timeout:

    1. Connect to the device console via SSH or directly with a keyboard/monitor or serial cable.
    2. Login
    3. On the main menu, select (4) Device Console
    4. At the prompt, to increase the timeout to 3 minutes from the default of 60 seconds, enter the following:

    console>set http_proxy response_timeout 180

    5. Exit the console and log out.

    To see the current value, enter the following command at the console:

    console>show http_proxy

    Note that setting this value too high will increase the risk that misbehaving servers could cause a denial of service – consuming excessive open connections by just not responding to requests sent.

  18. SMTP Smarthost

    Get back the possibility to relay outgoing email from the Sophos XG to a SMTP smarthost like we had in UTM 9

    71 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. NVMe support - Kernel Upgrade

    It would be nice to be able to utilize NVMe drives. NVMe native support was added in Linux kernel 3.3. It appears the v16.05 version is utilizing 3.14 currently. Is there a current roadmap for upgrading the kernel 3.3+?

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. User Portal link in quarantine digest need to use hostname

    The email sent to users for Quarantine Digest contains a hyperlink to the User Portal. The link uses the IPAddress and needs to use a hostname.

    79 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    20 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.