XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Admin login “failed password” error
We recently setup a new XG 115 firewall saved the config and then found ourselves unable to login “failed password”
We contacted support and spent time using keyboard and screen to reset the password - still no login, then fully resetting and evenntually the Sophos support person advised we had a corrupted image and the unit was replaced as DOA.
The new unit was setup with the same result we proceeded to wipe and reset using different passwords which all worked when using the keyboard and screen
Only after setting up another Sophos incident and booking another engineer did we…2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Thanks for your feedback. I’ve passed it on to our support team with a suggestion that they update their troubleshooting procedures for this kind of problem.
-
have detailed reports/graphs on XG as available in central (cloud)
Implemented the wifi graphs/reports that are available in the cloud (central) to the XG as well, as currently, the XG options for wifi are useless.
1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Central Firewall Reporting is currently under development and we expect to release it soon. For more details, see this community post: https://community.sophos.com/products/xg-firewall/sfos-eap/central-firewall-reporting-eap/b/announcements/posts/central-firewall-reporting-eap-is-here
-
4 votesCompleted ·
AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Check the new XStream SSL features in Version 18. It provides much more detail around success or failure of the TLS layer of an HTTPS transaction.
-
XG is not working to perform hair pinning. now a days so many device to access internaly by global ip without fqdn so enable this feture
XG is not working to perform hair pinning. now a days so many device to access internaly by global ip without fqdn so enable this feture
3 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is being addressed in version 18.
-
STAS allow un autherised users to access the internet
STAS to allow unauthenticated users internet access. We use STAS to map ~IP against users for web use monitoring, we don't want to restrict non authenticated users or annoy them with having to login to the XG.
2 votesDuring identity probing, client traffic is restricted, and not subject to firewall rules that would later allow unauthorized clients. This behavior has been made configurable, so users may choose whether to restrict clients during probing or not.
-
Add support for cipher suite in Cyberoam OS
Add a support to ciper suit TLSECDHERSAWITHAES128GCM_SHA256 -
{0xC0,0x2F} in Cyberoam OS
88 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This was fixed in CROS 10.6.6-MR5.
-
Hairpining
Can automatic NAT hairpining be built into SFOS automatically like it is in UTM? Very frustrating to have to create hairpin rules in order to access published servers from behind the same XG firewall. The best solution I've found to date is to set the source zone as "any" on the business rule governing the DNAT for the published service, however, that masks the true source IP address for any device on the outside accessing that published service because the firewall translates the source to it's own IP address. That makes it impossible to filter and restrict access to some…
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This issue is being addressed in SFOS v18.
-
Quota on Web
The administrator must able to reset the Quota for a user.
This option was working fine on the UTM but is not available in the XG.The Quota is only good working wen I can set Quota on a user activities group.
And in this group are categories.
And a user can be in different groups on the XG.So you have a group whit free internet for work and a group whit Quota internet for pause or fun.
1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Check out version 18 which introduces web policy-based time quotas, similar to the feature in SG UTM.
-
SNMP v3 version in XG105 firewall is not available
SNMP v3 version in XG105 firewall is not available, please check possibility to add it in the new firmware version ASAP. Because without SNMP v3 i dont like to call it as firewall itself.
11 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is available in version 18 of SFOS
-
backup to central
With the integration started with Sophos Central, it would be great if the last x number backups could be pushing into Sophos Central. This would provide a few capabilities. One - It could be backed centrally up without the required MR4 password affix to it, so no prior knowledge would be required to restore that backup if hardware failed. Two, it would create snapshots of the configs in time for audit / discover purposes, hopefully eventually leading into a change log of all UTM config changes. Three, in DR scenarios it exists outside of all company systems and people, so…
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is available now in Central Firewall Management.
-
reset firewall hit counter
reset the firewall hit counter, not only after reboot
5 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is now possible in version 18.
-
Harmonize log format
Current log format has key=value pairs, which are easy to manage in certain centralized logging solutions. However, some of these values contains quotation marks " and some does not. As there are several longer values, a quotation mark is reasonable and thus every value should have quotation marks.
2 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We have improved the consistency of the syslog logging significantly in version 18.
-
OpenSSL
Can we please update OpenSSL to a newer version and also maybe compile it to use the AES extensions in the CPU for those of us that have processors that support it? 50 road warrior vpn users and 12 red devices, and 5 site to site tunnels can crush a 310.
7 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
OpenSSL is updated in version 18.
-
Allow Sandstorm to show every request to help debugging
Sometimes I find Web sites that appear to be unresponsive unless I add an exception to the XG to skip Sandstorm scanning for them (or create a clone rule that has "Scan for zero-day threats with Sandstorm" disabled.) I spent over three hours with Sophos tech support trying to figure out why this was happening because nothing was showing in the sandboxd log, and it couldn't be set to debug log level to confirm if this is a bug or if Sandstorm is working as designed.
So please add a debug log level option to sandboxd and allow it to…
4 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Version 18 will provide a lot more informaiton around Sandstorm activity, in the report and in the log viewer.
-
XG-Firewall: Allow Changing HA-monitored Interfaces without breaking HA
Allow Changing HA-monitored Interfaces without breaking HA like in UTM/SG - OS possible.
Why is there the need to break HA if only a change or modification on a productive plant ist planned, that schould be online 24x7? That´s why HA is implemeted!!13 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This has been implemented in SFOS v18.
-
Inside activation Firewall Rule
If a Firewall Rule (User/Network Based) is disabled, it would be nice to have the option to activate it inside of rule configuration aswell.
1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This is possible in v18.
-
Multiple IPS in Business Application Rules
When creating a Business Application Rule as a NAT, to have the option to choose more than just one IP Address to receive the connection.
7 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Changes in Version 18 will facilitate this.
-
Please has all Public IP vs Internal IP NAT IP information in tabular format,
Hi Team- could you please has all Public IP vs Internal IP NAT IP information in tabular format,every time i would need to check every NAT/Business rule .
This is frustrating and time consuming process and has chances of wrong assessment.
1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
NAT is being moved to separate table of NAT rules in version 18. I think this will give you what you’re looking for.
Check out the version 18 early access program: https://events.sophos.com/v18eap
-
Syslog Servers - Export Logs DHCP
From our Sophos XG 450 devices we would need to export logs related to DHCP.
The data we need are: IP address, Mac address, Host Name.
We would also need to export logs related to SSL VPN Client connections with the same information (IP address, Mac address, Host Name)Rogari Andrea
5 votesCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
DHCP logs can be exported to Syslog in version 18.
-
Reflexive feature for Lan-Lan rule creation supposed to be there in Sophos Firewall as like cyberoam
As I recently noticed while creating Business rule to forward port that if we select "create reflexive rule" it doesn't create rule for Lan-Lan access as cyberoam does have that.
So request you to kindly add this feature in future upgrade. it helps to optimize time and have clarity for the same.
1 voteCompleted ·AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
This will be addressed in version 18.
- Don't see your idea?