XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

Add support to ciper suit in Cyberoam OS

Add a support to ciper suit TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -

{0xC0,0x2F} in Cyberoam OS

87 votes
Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
  • JB commented  ·   ·  Flag as inappropriate

    So hilarious when people complain about a security device doing its job and protecting them from an insecure cipher. See the RSA in that cipher, that means it is vulnerable to ROBOT and hence why the firewall is blocking it. How about instead of giving Sophos a hard time you go complain to the people running their websites on an insecure cipher?


    Why would you ask a network security company to enable an insecure cipher for the convenience of your customers and yourselves?

  • John Powell commented  ·   ·  Flag as inappropriate

    UPDATE: We seem to have found a solution on some of our clients. The Cyberoam time was incorrect. On some only by a few minutes but some by 12 hours or so.
    We have now set these to use an NTP Server and correct zimezone etc and this seems to have resolved our issue. Very strage. Id be interested to know if this helps anyone else!

  • John Powell commented  ·   ·  Flag as inappropriate

    Were gettting customer after customer with this issue. No longer just web portals. Adobe CreativeCloud login and other software vendors who licensing server appear to be on AWS!
    The Firewall rule work around is not a solution.... That said it sounds like a few of you have had some success with this as a temp workaround.
    I havent. Can anyone shed any light?
    I cant believe we only have 80 votes for this!

  • Rod Arthur commented  ·   ·  Flag as inappropriate

    Agree that this is a BUG, causing lots of pain over past few weeks. The Cyberoam Support recommended workaround to create a new rule explicitly bypassing any Web Filter security (Must set to NONE) to every individual FQDN URL that experiencing the issue is not satisfactory. Bypassing any security surely is a very temporary fix. PLEASE resolve this issue ASAP and make our client Cyberoams secure again

  • Jim Gray commented  ·   ·  Flag as inappropriate

    I have a list of customers that call me daily that I am having to setup a firewall rule to disable web filtering, this puts the customer at risk and they are not to happy with the workaround. PLEASE fix this ASAP! We can't get customers to pay us as the Intuit payment site is hosted on AWS.

  • Jason Cecchin commented  ·   ·  Flag as inappropriate

    Also maybe add
    {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    while you are at it because I suspect that's an issue also...

  • Jason Cecchin commented  ·   ·  Flag as inappropriate

    Further to this it would be handy to have a list of exactly which ciphers are supported by the CR-OS for web filtering (can't seem to find one)

    Creating firewall rules to bypass web filtering (besides being time consuming) is not really an acceptable long term solution as it weakens security performance of the product.

  • Jason Cecchin commented  ·   ·  Flag as inappropriate

    Pity I can't add a extra vote for every one of my clients who contact me for support regarding a website they can't reach due to this issue. (and I might add they are all current maintenance paying customers who will probably upgrade to Sophos-XG unless they become dissatisfied with the product in the meantime)

  • Boon Tee commented  ·   ·  Flag as inappropriate

    This is not a "feature" to be added. It is a bug that should be fixed.
    We have paid for support. It is not a "free" product.

  • Prashanr Rabse commented  ·   ·  Flag as inappropriate

    Dear Sophos Team,

    If your Cyberroam doesn’t supported ciper suit in this case you should enable notification massage to end user.

    Request you to work on it

  • Barry Grove commented  ·   ·  Flag as inappropriate

    "CROS proxy doesn’t support cipher suit 0xc02f and considered as a feature request. As per the Product Team, we have an update that currently, they do not have any plan to include feature request in the Cyberoam firewall with CR-OS."
    This is the reply I received today regarding an increasing number of websites. This needs to be fixed by Cyberoam / Sophos. This has happened within the last couple weeks. I haven’t loaded an update on one of my Cyberoam’s for 1 Yr. so how has this problem arrived

  • Jeff commented  ·   ·  Flag as inappropriate

    Rajivh Thakor
    June 26, 2019 12:57 AM Flag As Inappropriate
    please help me for create a destination IP or FQDN based rule regarding these types of websites. asap

  • Anonymous commented  ·   ·  Flag as inappropriate

    You have made it clear to me that the only solution is Software Router so if somthing like this happens I can uninstall the OS and install another.

    Reviewing these products.



  • Anonymous commented  ·   ·  Flag as inappropriate

    I need to find and set specific web site that use this cipher suit if end user claimed to us.
    It should be fixed in cyberoamOS, please do ASAP.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Please fix this ASAP. This is not a feature but basic functionality, because the market is using this

  • Keynon Lannom commented  ·   ·  Flag as inappropriate

    Either kill of Cyberoam completely or continue to support it as myself and my customers have paid for support for the next 3 years. It is unacceptable to fix this on Sophos-XG and not on the Cyberoam units. Agree with others we should not have to vote to have this fixed...this should just be fixed.

  • Steve Freist commented  ·   ·  Flag as inappropriate

    I have had to disable web filtering to allow my users to get around this issue and use the internet. This is nonsense and needs to be fixed. I'm looking at other firewall hardware from other companies that understand the need to support this cipher... Support's solution was to add each failing site to an allow list but that's insane as there are so many sites that use this cipher...

← Previous 1

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.