XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Improve Logging
At the moment understand what's going on is very HARD. Live logs are missing and notepad on every section is missing.
Add live log and allow admins to configure itself coloured live logs (globally or on single windows?). In this way logs have different level of importance and Admins can better understand if they need to worry about or not. For example allows Admins to set red for high-risk/denied traffic/system error, yellow for warning/natted/or whatever and so on.
I really love the live log on Firewall section of UTM9 where reading what's happen is very very easy.440 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have released significant improvements to logging since this idea was first posted.
There are certainly still more things we could do.
I’m closing this item in the hope that users will post some more specific and detailed ideas for where to go next, with good examples of use cases/value provided. There are also many interesting ideas already posted that you could support or contribute to.
-
Rename/Comment Physical Interface objects
It should be allowed to change the name of Physical Interface objects from default PORTx name to custom one.
Also, comment attribute/field should be added for additional description (like it was available in UTM9).420 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
The ability to rename interface objects will be delivered in version 18 of SFOS. We will not be adding comments at this time.
If comment/description field is important to you, support this item, which is specifically about providing comments fields more generally across the board: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/38328700-more-objects-should-have-note-fields
For information on how to get early access to version 18, go here: https://events.sophos.com/v18eap
-
Change SSL VPN Port
Right now it is not possible to change the SSL VPN Port by GUI. Port 8443 is used by default. Please add the possibility to change, because Port 8443 is not allowed in many networks.
411 votes -
Allow interface port to be configured with just vlans
As it is right now you must assign an ip address to an interface and then add vlans. doesn't allow you to just assign vlans.
281 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This functionality will be available in version 18 of SFOS.
To get early access to v18 right now, click here: https://events.sophos.com/v18eap
-
Add support to choose both protocols (TCP/UDP) in Service object
Currently we have to create a separated rule to each protocoal TCP/UDP.
Best regards,
Carlos
229 votes -
default source port when adding new services to "1:65535"
Would be nice if the source port was already pre-populated like it was in UTM9
227 votes -
193 votesCompleted ·
AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
You can now boot the software installer on a Sophos appliance hardware model.
-
Webfilter & Application on User
A great feature in cyberoam was the ability to change webfilter/App filter for a user or group in the identity section.
With XG that good option was left off, allowing only firewall rule based webfilter/App filter application as competitors do.
Please bring back that feature which made Cyberoam so popular.
186 votesIn v16, we added user and group constraints to web policies. This allows admins to control all web behaviors for all users, from a single screen, while adding more powerful and simple to maintain web polices than in any other firewall. This allows you to define behavirs for users or groups in a single policy, while also defining exceptions and overrides in that same policy, and not needing to create policy clutter, with multiple, similar web policies.
-
SD-WAN
SD-WAN
186 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We are adding a range of SD-WAN features in version 18.
You can get early access to it here: https://events.sophos.com/v18eap
-
Allow VLANs to be added to a bridge
This function was available in UTM 9, but it's missing in the new XG Firewalls. I should be able to create a new vlan and add it to a bridge so that it spans multiple physical interfaces. As it is right now, a new vlan can only be added to a single physical port.
177 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
In SFOS version 18 it is possible to set a VLAN virtual interface on a pre-existing bridge group.
Find out about the early access program for V18 here: https://events.sophos.com/v18eap
-
Zero-config HA
Clustering UTM is very easy. Now you have to assing an IP to the ***** XG and create the cluster. UTM clustering technology is the simplest one I never seen. The other thing is the DMZ zone to be used when you need to create the cluster. A dedicated zone should be available (maybe HA?). Also a second interface is missing as an alternate interface.
163 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Plug-and-play HA will be available with version 18 of SFOS.
For information on the ongoing early access program for version 18, click here: https://events.sophos.com/v18eap
-
Add FreeDNS.afraid.org DynDNS Provider
FreeDNS was on UTM 9, is there any reason why it has not been carried over to XG Firewall.... I for one would like to have FreeDNS enabled in XG firewall as I see no technical reason why it should not be there.
or at least have a custom setting for Dynamic DNS that enables a feature to set Dynamic DNS via a url that can be called by curl.
159 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This will be available in version 18 of SFOS.
To get early access, go here: https://events.sophos.com/v18eap
-
Automatic Firewall Rule and Group
At the moment, automatic firewall rule is not available in any option as it was with UTM9. For example when you setup a new site-to-site or vpn. This is very useful and time saving. Also add inside Policy Section "Automatic Firewall Rules view".
Last, add the chance to create Groups so we are able to group rules together.138 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Firewall rule groups were implemented in version 17.
Some features now offer automatic firewall rule creation and more will come.
We are closing this item as ‘Complete’, as the remaining issues are better addressed as more specific, detailed suggestions. Please feel free to create new ideas for specific use-cases.
-
IKE v2 and dynamic routing
IKEv2 and dynamic routing
117 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
IKEv2 has been delivered.
To support/follow route-based VPN, check out this item: https://ideas.sophos.com/admin/v3/ideas/11118984/
-
NTP - no need for rebooting the Firewall
When making changes to the NTP Configuration, it should not be necessary to reboot the Firewall afterwards.
104 votes -
Add support to copy/duplicate policy rules
This will help us to reduce time, management in this operation.
By example, Policy Rules with the same same destination, ports, gateway through but with the source address different, could be easily cloned with based from other one.Best regards,
Carlos
98 votesSupport for this feature was added in XG v16
-
Separating “YouTube Restricted Mode” from "Enable SafeSearch" feature
Separating YouTube "Restricted Mode" from "Enforce Safe Search" option in XG Firewall would allow much more flexibility for customers.
YouTube "Restricted Mode" is currently just too “restricted” (not usable) and customers should have possibility to turn it on or off without impact on SafeSearch.
On the other side, SafeSearch is very useful feature that customers would probably have always on.97 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This was delivered in version 17.5.
-
Sophos XG Unified firewall Business application should accept a host/services object
Under: Policies
Security PoliciesAdding a Business application non-HTTP rule you should have the option to use "Objects > Hosts and Services > Services" objects as the Port Forwarding target.
This reduces the rules required and keeps it more unified..
At the moment you need to add multiple rules I.E. A hosted service uses a mixture of single ports, port ranges and both tcp/udp will require multiple rules to achieve something very simple.
97 votes -
Allow wildcard subdomains in Firewall rules
Firewall packet filtering based on wildcard subdomains and reverse DNS resolution.
We would like to allow/deny connections based on a wildcard subdomain (think *.example.com). Only way to do that is to reverse DNS the destination IP and allow/deny based on the wildcard rule?
Although there is the common possibility that the reverse DNS is not the same as the A or CNAME record requested, so I'm not sure how useful that would be.But, we would really appreciate the ability to filter based on wildcard subdomains.. like *.update.microsoft.com. See:
https://technet.microsoft.com/en-us/library/bb693717.aspx93 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
You can now do this with FQDN objects
-
Improve GUI
At moment the Dashboard cannot be customized, no flow control and no in/out of each interface. Really missing many nice features from UTM9. Sort option inside menu in alfabetic order.
Make sure GUI can use all screen resolution; allow us to reset alarms from GUI;
GUI should be similiar in feature as UTM9. We will see!93 votesWhile there are a number of points listed here that are not completed, we will continue to improve and refine the XG UI in future updates. We have completed the first wave of improvements in XG v16.
- Don't see your idea?