XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. IPS Real time alerts

    The firewalls must: Notify the administrator in real time of any items requiring immediate attention. -[Requirement of PCI CP)

    2 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • QOS per interface or Gateway

      Can we please get some QOS functionality on a per interface or per Gateway option,

      We have a lot of customers that have multiple links with different speeds, it is currently difficult to manage this with the current QOS functionality.

      I see a lot of other feature requests for QOS but none that cover this topic.

      Thank you

      3 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • i need to enable load balancing between 2 isp where having 3 isp

        i need to enable load balancing between 2 isp where having 3 isp

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Ability to not have local data transmission count as data used on voucher quotas.

          Right now it would appear that data used by voucher users even for local traffic, affects their qouta balance, so if a voucher is for 1 Gig, if the voucher user consumes only local traffic, not WAN data, it still affects the user's data usage. Personally don't think it should be that way, or at least have the option to not have it affect the voucher balance.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • zabbix

            Gostaria de sugerir a implementação do agente do zabbix nos equipamentos Sophos XG, a sugestão é devido a necessidade que temos atualmente de monitorar alguns XG, que estão trabalhando como brigde e não possuem acesso quando a origem é a internet, com a possibilidade do agente zabbix poderíamos configurar para que o mesmo enviasse as informações para nosso servidor no SOC, independente do IP de saída.

            Resumidamente ter a opção de trabalho ativo e passivo.

            https://www.zabbix.com/documentation/3.0/pt/manual/distributed_monitoring/proxies

            2 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Advanced NAT options for firewall rules

              I have seen multiple forum posts about this and there's also some feature requests that all come down to the same issue: managing NATs kind of sucks on the XG!

              On a user rule, the only thing we can do is masquerade. That's not always useful. There's no way to control DNAT and SNAT options in a good way. We don't have a proper way to set up a 1-to-1 NAT for a full network other than creating two business rules that are really not made for this purpose. It's completely unintuitive and not well designed.

              The Network Address Translation…

              5 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • wan traffic

                Per-WAN definition of available bandwidth.
                Traffic shaping and WAN load-balancing, as currently defined in the XG don't allow us to take advantage of knowledge of the available connections.

                In our typical use case, we have a secondary connection which it'd be great to load balance over, but we need to guarantee that we never use the last 10~20% of that connection as it's reserved for high-priority services that cannot sit behind the firewall.

                In the SG this was easy; you defined an bandwidth limit per interface when setting up QoS; I'm not sure why someone was possessed to come up…

                2 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Sandstorm progress page

                  Would be awesome to be able to see the progress of a scan from the users perspective instead of a dead screen and then have to guess when the scan is done.

                  4 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • SSL vpn user not able to access vpn remote access

                    SSL vpn connection is all about remote connection to the local Lan and also it should be for VPN connection also. when we connect through SSL vpn we can access only local machines but not the remote VPN machine , thus admin has to provide another local machine for remote SSL_VPN user. Your thoughts on this......

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • STAS application should allow changing WMI credential

                      STAS application should allow changing WMI credential (case number 8430014). The installed STAS agent per domain controller should have an option to update the credentials used for collecting info. The only option to enter the credentials is during the install. So if the admin username / password changes, the only option is to uninstall / reinstall the agent.

                      5 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • IP host rules linking

                        Need a way to check how many firewall rules an IP host is associated with.

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • sso
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • IPS Signature details

                          It is good to provide more details to an IPS signatures directly from the IPS policies/signature. This was found in Cyberoam last time but not available in Sophos.

                          This is useful for the security admin to find a resolution to the "attack" rather than only bypassing it, without knowing what is going on.

                          6 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • sso
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Block l2tp and pptp requests at perimiter

                            Today, it is quite possible to brute-force attack L2TP and PPTP as there is no way to drop incoming requests based on IP, geo or any other variable.

                            I would like the ability to assign a network rule (or equivalent) that drops requests for such features before entering the firewall, before reaching authentication. Much like ACL exceptions for device access does.

                            This is not possible today, and we have to contend with miles of logs with login requests and tries from far away, just probing for passwords.

                            3 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • sso
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • quota limit per IP (feature available through user only)

                              quota limit per IP (feature available through user only)

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • sso
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • fqdn

                                FQDN host instant reverse lookup for rules, so they work first time, or periodic update of DNS cache for FQDN hosts. We see an issue with round robin style FQDN hosts not being picked up on a rule. The first IP attempt is not resolved and the correct rule doesn't get applied, however the next attempt is from another IP address which doesn't trigger the rule either, it's only once the round robin has gone all the way round that the rule works properly. For example we found this with Exchange Online, using IPs 65.55.88.X for SMTP, the rule wouldn't…

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • sso
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Data Control

                                  Data Control is rule based but has a hardcoded rule (per sophos support) that cannot be disabled: it blocks all communication to external devices that isn't initiated through Windows Explorer. But this is how backup software operates (Veeam in our case). We cannot enable Data Control and perform data backups. My request is to make this functionality of Data Control be rule based so end users can choose to enable or disable it to fit their environment.

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • sso
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Bypass IPS

                                    Give us a way to bypass the IPS based on source and/or destination. We have clients who pay for vulnerability scanning, pen-testing, web app auditing, etc. and currently there is no way to bypass the IPS if the rules are numerous without duplicating each rule where the first rule has the IPS turned off.

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • sso
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Enable/Disable Firewall rule

                                      It would good if you could enable/disable the firewall rule from the main list display, rather than having to click the "..." menu and then select disable/enable. Cyberoam could be enablde/disabled on the firewall rules list.

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • sso
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Static ARP Bulk upload feature is highly recommended

                                        Static ARP Bulk upload feature is highly recommended

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • sso
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Nat on different Tab not on firewall rules

                                          Nat on a different TAB, like SG version,
                                          It will be great to use and categorize rules by selecting NAT SNAT,DNAT,1:1 NAT.

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • sso
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 13 14
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.