Can we please get fq_codel enabled for QOS by default, looks like the kernel will need upgrading too

Define multiple upstream HTTP proxies.

Define URL-based policies to determine which proxy should be used, or whether traffic should go direct.

Each proxy may require authentication.

It would be great to be able to see live Bandwidth speed stats for each Interface like we had on UTM.

It will be nice to have the possibility to editing multiple Policies at the same time by having a check box on the left (as it is already available on Services Objects) and be able to perform general modification, such as:

enable/disable logging

edit MASQ

edit users/groups member

enable/disable heartbeat

allow/deny/reject action

change Application/IPS/Web filtering

malware scanning option

Give us the chance to manage XG basic features from CLI, such as:

creating/editing/deleting network objects
creating/editing/deleting services
creating/editing/deleting users/groups
creating/editing/deleting ips/application control/web policies
creating/editing/deleting and managing VPN

and more.....

Create own providers under Dynamic DNS like it's done under SMS Gateways like to update IPv6 Tunnel endpoints when the WAN IP changes or third party DynDNS Services.

If you have DHCP on the WAN interface and also an IP-Tunnel which terminates there, it would be great if you can configure the local endpoint dynamically. (Take the IPv4 value of interface Port1)

Add AICCU support (Like on UTM) [https://www.sixxs.net/tools/aiccu/] for Sixxs.net ipv6 tunnel handling.

Drop the whole concept of Zones in the access policies. They are redundant when the polices already state the networks and the interfaces.

That is to say, a Zone means nothing when you already have to define the source network an the interface it arrives on.

Just migrated from UTM to XG. It's fantastic. One small thing, please bring back support for OpenDNS dynamic DNS. Please, please.

It would be very convenient to assign static ip to users logging in through SSL VPN client. Currently this feature is available only to L2TP and PPP users.

Tried network agent to authenticate users and it is a very nice feature.

Once installed, you connect with mobile to user portal, download certificate and import inside the APP.
However I would suggest to add an option inside the APP that allow the APP to work only when the mobile is connected using a specific SSID Wi-Fi connection. At the moment, the only integrated option are:

Save Password

Auto Login

This ensure that user do not need to open the APP when they are back to work and save battery.

NTP Server is a small package and UTM9 has it. In some small organization, having a central NTP server is a nice feature.
Can you add it into future release?

You can put it inside device access, denying WAN from using NTP server for security reason.

At the moment, if you try to remove a object used somewhere (Policy Rule for example) a message appears saying that "the object is already in use." So give us where the object is in use and allow Admins to delete it.
You can add an extra column with number of times the object has been used and give LINK where the object is used so we can go directly to the place and check if can delete it or not.

UTM 9 had great DHCP options that you could assing globally or to an individual pool. For people with VoIP deployments this is Huge.

At the moment there are different type of authentication missing even on UTM9 against ISA server 2006, such as:

1. Two-factor authentication using forms-based authentication and a client certificate.


2. Delegation of credentials by using NTLM or Kerberos authentication.


3. Kerberos constrained delegation.


4. Secure Sockets Layer (SSL) client certificate constraints

In this way, XG and UTM9 are the very alternative to ISA Server.

I would love to be able to create RED tunnels to other Sophos Firewall XG devices aswell as Sophos UTM's.

This was a big disappointment to myself who used RED tunnels between UTM's