Please let us know down all the files (ISO, GPG ...) MD5 checksums.
I think this is very important. You should not download anything until it has been publicly released on the forum. At a new release, it must always be there from now on. I think it should not be downloaded until it is resolved. In the firewall system, there should be an option to not be required to remove the updates from the cloud. (IPS Rules, Virus Definitions ... Other). If you think you trust Sophos, but not in the cloud service provider, you can completely disable this. You can only access and download updates from Sophos servers. If someone has unauthorized access to cloud service information, they can manipulate the firewall arbitrarily. You can choose which country in the hosts to receive only updates for the firewall. What's not selected, do not download anything from there.
There must be an option in the firewall system. do not download upgrades from cloud hosting providers. (IPS Rules, Virus Definitions ... Other). They can also check their originality and can be updated offline at any time. There is an opportunity to access and download updates from Sophos servers only. If someone has unauthorized access to cloud provider data, they can manipulate the firewall. There should be an option to choose which country in which servers to receive only updates from the firewall. What's not selected, do not download anything from there. It should be possible to turn off all telemetry services. I think that would significantly increase the security of the XG firewall and use it more.
We are confident that our methods for providing updates to running systems are secure. Updates are GPG-signed. When downloading full images (ISO files) ensure that you get them from www.sophos.com, over HTTPS.
DNSSEC should be on the download site too.
The fact that XG doesn’t validate DNSSEC or secure NTP astonishes me.
Bear in mind MD5 and even SHA1 are not cryptographically secure. SHA256 at a minimum.
GPG downloads (update packages) should already be safe, signed by keys already programmed into the appliance. But this isn’t the case for ISO files.
Showing hashes on a web page is of little use though (if the download is compromised the displayed hash could be too).
All downloads should be gpg signed and the key fingerprint should be included in physically printed documentation supplied via post.