XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Option to use QoS by Policy instead of user/group with Authenticated access
Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.
When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.
Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.
8 votes -
MAC based authentication
Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
Sophos support says, such a feature is not available. Please bring the feature back.Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only
74 votes -
Exempt Specific Applications from Traffic Quota
Allow us to 'exclude' certain applications which may not be able to be configured on an IP/port basis, from the Quota functionality.
E.g Skype, Viber, Skype4Business, Office365Also, Windows Update and other software update that may consume quota quickly.
21 votes -
Device Type and OS type detection, so can apply rule by it.
please we need to apply rules by device type or OS type.
which most of our customers ask for it, cause it included on other firewall.96 votes -
DNSimple Dynamic DNS Provider
Please add DNSimple as a Dynamic DNS provider. The link below provides info on their Bash Client as well as APIs if you should choose to bake your own or extend some convenience features into the Web Interface. All that is needed to make this work on an XG is some sort of scheduler (LaunchD/Cron) to run the bash script.
https://developer.dnsimple.com/tools/
Bash Script Example Below:
!/bin/bash
TOKEN="your-oauth-token" # The API v2 OAuth token
ACCOUNT_ID="12345" # Replace with your account ID
ZONE_ID="yourdomain.com" # The zone ID is the name of the zone (or domain)
RECORD_ID="1234567" # Replace with the Record ID …5 votes -
Allow outgoing emails to be signed with DKIM
Include the possibility of signing outgoing emails using DKIM for all or only selected email domains as in UTM9
274 votes -
User report showing only primary URL visited
Currently the system cannot report on specific domains - urls that users have entered to a search engine.
Need a report that can do this without reporting on ALL the urls required to make a page work - dont want to see multiples of the same urls or the extra urls required to make a page display - only want a list of what users are trying to access
12 votes -
Wireless Site Survey
I think you can do it on Sophos Cloud, but the ability to upload and mark on on a floor plan where all the access points are, and do site surveys.
25 votes -
Audio for RDP sessions
Currently RDP sessions through the User Portal don't offer Audio. This feature would be handy for remote users to be able to playback voicemails, etc.
12 votes -
Full screen for RDP sessions
RDP sessions from the User Portal don't allow you to adjust the screen resolution or go full screen to fit the remote desktop to your screen.
60 votes -
ipsec vti / routable ipsec / routable ssl vpn with abilities to connect to none sophos remote
RED Tunnels is nice only if i can live in a world where every firewall/gateway is made by sophos. So at least support some standard means to create routable vpn.
6 votes -
Mixing Wireless Client Traffic Types
I want to be able to add all my wireless networks to all my access points.
Currently I cannot mix "Bridge to AP LAN" and "Bridge to VLAN" on the same access point which I could easily do on other wireless systems.14 votes -
TR-069 Provisioning
Auto-provisioning via TR-069/CWMP protocol to configure wan ip address, firewall rules, management server, etc.
5 votes -
DHCP option 42 (NTP) use DNS name
DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org
22 votes -
NAT64 support
With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.
50 votes -
Make home license payable but cater to some home user requests
Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of
- using the Sophos Home cloud to create integrated reporting
- the ability to use XG as an OpenVPN client so all traffic is protected
- the ability to use sandstorm
Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.
17 votes -
XG as OpenVPN client
The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.27 votes -
Support for DNScrypt
Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)
37 votes -
DHCP client Option 60 on WAN Interfaces (for IPTV in Singapore)
In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV32 votes -
Weak hand shake - SSL VPN
Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/40 votes
- Don't see your idea?