Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.

When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.

Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.

Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
Sophos support says, such a feature is not available. Please bring the feature back.

Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only

Allow us to 'exclude' certain applications which may not be able to be configured on an IP/port basis, from the Quota functionality.
E.g Skype, Viber, Skype4Business, Office365

Also, Windows Update and other software update that may consume quota quickly.

please we need to apply rules by device type or OS type.
which most of our customers ask for it, cause it included on other firewall.

Include the possibility of signing outgoing emails using DKIM for all or only selected email domains as in UTM9

Currently the system cannot report on specific domains - urls that users have entered to a search engine.

Need a report that can do this without reporting on ALL the urls required to make a page work - dont want to see multiples of the same urls or the extra urls required to make a page display - only want a list of what users are trying to access

I think you can do it on Sophos Cloud, but the ability to upload and mark on on a floor plan where all the access points are, and do site surveys.

Currently RDP sessions through the User Portal don't offer Audio. This feature would be handy for remote users to be able to playback voicemails, etc.

RDP sessions from the User Portal don't allow you to adjust the screen resolution or go full screen to fit the remote desktop to your screen.

RED Tunnels is nice only if i can live in a world where every firewall/gateway is made by sophos. So at least support some standard means to create routable vpn.

I want to be able to add all my wireless networks to all my access points.
Currently I cannot mix "Bridge to AP LAN" and "Bridge to VLAN" on the same access point which I could easily do on other wireless systems.

Auto-provisioning via TR-069/CWMP protocol to configure wan ip address, firewall rules, management server, etc.

https://en.wikipedia.org/wiki/TR-069

DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org

With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.

Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of

• using the Sophos Home cloud to create integrated reporting


• the ability to use XG as an OpenVPN client so all traffic is protected


• the ability to use sandstorm

Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.

The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV

Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/