XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Anti-portscan

    XG does not have a anti-portscan feature. Please vote it!

    499 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    56 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Sophos VPN app for mobile platforms

    Sophos should develop an own VPN app for mobile operating systems (iOS / Android / Windows Phone) which can connect via the UTM using the configuration pushed from the UTM to the SMC server.
    It should also support the Per-App-VPN feature which was introduced in iOS 7.

    337 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    18 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Native Microsoft Azure Site-to-Site VPN

    Sophos UTM already natively supports automatic site-to-site VPN tunnels with BGP routing to AWS. I look forward to Sophos UTM supporting the same sort of site-to-site VPN tunnels with BGP to Microsoft Azure in public and private cloud deployments.

    I think the easiest way for this to work would be for Sophos UTM to look at the requirements of getting the VPN itself setup (which has been documented in the forums and works), then to make BGP work on top of that, then ensure that BGP and the VPN can work between multiple private cloud and public cloud sites, then…

    204 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    26 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Make outbound queries using DNS over TLS

    Based on comments on this item, the request is for XG Firewall to use DNS over TLS to make outbound DNS queries over an encrypted channel.

    If you want to support adding the ability for XG Firewall to be a server for DNS over TLS requests from other devices or endpoints, please create or support a separate idea submission. Also, DNS over HTTPS is covered in a different item: https://ideas.sophos.com/admin/v3/ideas/37437661/

    168 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Device Type and OS type detection, so can apply rule by it.

    please we need to apply rules by device type or OS type.
    which most of our customers ask for it, cause it included on other firewall.

    92 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Remove a DHCP lease

    Need to be option for remove DHCP lease IP address

    75 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. MAC based authentication

    Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
    Sophos support says, such a feature is not available. Please bring the feature back.

    Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only

    69 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. AWS MarketPlace XG Firewall

    Hi,

    Right now, UTM 9.5 is available at AWS Marketplace.

    When will be available XG?

    Regards

    63 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Feature request - Custom security risks level

    I am using SFOS at home (at moment) and I have seen from reports that some custom ports (in my case TCP:49275) does not have a risk level. All other know application are already classified. My questions are:


    1. why do not add the chance for custom port to become an application?


    2. why do not add custom risk level to custom application?


    3. Why users cannot change the risk level on know application?


    I work with Health care industry and banks too and every customer has different needs so I am sure that for some Skype (for example) is extremely risky while…

    53 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Implement support for dynamic/public IP/URL blacklist feeds

    Alienvault has OTX (Open Threat eXchange) and there's https://intel.criticalstack.com/.
    There's also a very big player, Palo Alto Networks that provides Minemeld (see links at bottom of this post).

    They all provide public feeds of known hostile IP addresses/ranges and URL's*.

    I would really like to be able to make use of such feeds so I can create specific rules on my firewall to block all incoming traffic from these sources and possibly outgoing URL requests to known C2 servers.

    If this blocked traffic (the outgoing attempts) is logged in a specific log, it would have the additional benefit of…

    52 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    15 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Load Balancing Ratio - Usage of % instead of numbers

    Gateway Load Balancing accepts number and if you have more than 2 gateways, finding the ratio number can be challenging. Using percentage is less confusing and more simple to use.
    Thanks

    47 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. TLS 1.2 support for SSL VPN

    Currently TLS 1.2 is not supported for SSL VPN for SF-OS.

    Reference FR ID is NPM-264.

    We have a partner's firm that deals in Financial services and they are allowed to use only TLS.
    1.2 for SSL VPN due to compliance.

    43 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Anti-malware between zones for all protocols

    XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
    Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
    Thanks

    43 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Device inventory

    I suggest a view of devices on the network, divided by operating system and bringing the essential information such as host name, IP and MAC address, and which interface are connected.

    39 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Weak hand shake - SSL VPN

    Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
    Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
    3DES-EDE is known to be weak.
    I think this is a serious problem for such a nice firewall.
    Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

    39 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add support to choose multiple Hosted Address when create a Business Application Policy

    Add support to choose multiple Hosted Address when create a Business Application Policy.
    Imagine a customer with 3 WAN links and 50 Business Application Policies rules.It is needed create 150 Rules for this.

    This is a real case today.

    Best regards,

    Carlos

    38 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Socks proxy

    As in UTM 9.x there was an option to use the utm as socks5 proxy using port 1080, that was very helpful when you try to connect lan computers to remote servers over the internet without the need to open firewall rules o natting, ie. bank applications to transfer data between pc and bank office using secured channel instead of web browsing.
    We used to run Hummingbird socks proxy client.

    37 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Decryption Port Mirroring

    The Decryption Port mirror feature provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures–such as NetWitness or Solera–for archiving and analysis. This feature is necessary for organizations that require comprehensive datacapture for forensic and historical purposes or data leak prevention (DLP) functionality.

    36 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. IGMP proxy

    Instead of just static multicast routes. Allow to proxy all to another interface.

    Many other vendors have a function for IGMP Proxy

    35 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Bind multiple IPs on single MAC

    Allow bind multiple IPs on single MAC between different DHCP networks. We have some scenarios that need this feature and it would be very important to Sophos allow that.

    35 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 11 12
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.