XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow to enter a partial MAC-Address to filter for Vendors

    It would be great to be able to enter a partial MAC-Address as eg. 00:1A:E8:* within the MAC Address Definition section.
    The MAC-Address in this example would involve every device from the vendor Unify.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow netflow to be assigned to a specific zone

    It would be great to be able to assign the netflow service to zones the same as you can with most other services: SNMP, SSL portal, ping, user portal, etc..
    You cannot truly segregate all management traffic/duties with the current implementation without rewiring the default Lan port to be a dedicated management interface

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Ghost ip detection

    We are using DHCP server from our XG firewall. IP leasing setting is 12 hrs. I am looking for some tools from which i can find the ghost IP ( IP which is not active) and clear it up from the DHCP pool in order to assign to new connection.

    Secondly I want to know that how can i make a rule that if a device is not authorized to access internet should not get the IP from the DHCP server.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Block IPv6 UDP fragmentation

    Currently, on XG firewalls one can disallow fragmented traffic via the CLI (fragmented-traffic deny). But this cannot be reduced to IPv6 UDP traffic only.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. set group of wan links to perform load balancing

    we need in the future to be able to set a group of WAN Links to performing load balancing
    Example
    I have 6 Wan links from different ISP's ( Vodafone, WE, TE-DATA, Nour, Orange, and Etisalat)
    we need to be able to make ( Vodafone, We, and TE-DATA ) perform load balancing to serv specific Subnet and create another load balancing with the rest of ISP's ( Nour, Orang, and Etisalat ) to serv another subnet

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Dhcp lease Export in one Excel File

    It is submitted that in the firewall the DHCP Lease can not be download properly due to this admin user has facing the problem. So your are requested to please provide the function to import excel file of all DHCP Lease IPv4 so that all lease can be downloaded easily and maintain the DHCP logs by the admin user properly. Firewall>Network> DHCP>IPv4

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. OP Manager Compatibility with XG

    Customer wanted to have the OP manager compatibility with XG Firewall

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to Traffic Shape & QoS Specific Interface

    Hello!

    It has become apparent for us to try and implement Traffic Shaping rules for specific interfaces - in our example, we have a site which has many RED Branch Offices. These branch offices appear to be causing high utilization on our available WAN usage.

    Currently, to create a Traffic Shaper or QoS rule we'd need to define it within "System services > Traffic shaping" and then apply this to a firewall rule under "Rules and policies > Firewall rules > [[Edit Rule]] > Other security features > Shape traffic".

    This works great for when you have a specific service…

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Services need to be modify without removing from rule

    In the current firmware , if want to modify a service means i have to remove from all rules which is related this service. So this should be update the upcoming firmware. Services need to be modify without removing from rule

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Network Map

    I suggest the implementation of network map visualization to watch os type, hostname, IP, open ports and manage their network access.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. WAF Source Filter by FQDN

    Currently WAF rules can only have their source filtered by IP or by Network, while regular DNAT rules can be filtered by IP, IP Range, IP List, MAC Address, MAC List, Host Group, Network, FQDN Host, FQDN Host Group, or Country Group.

    I'd like the functionality of the WAF source filter to be expanded to have the same capabilities as a full DNAT rule.

    I'm specifically after the FQDN host so we can filter and use DynDNS hostnames but the other things would be handy as welll

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support for Industrial Control and Automation Protocols (SCADA) in DPI / IDS

    Idea originally posted by TheMachineWhisperer in 2018 but never responded to by Sophos.

    Security for industrial automation, critical infrastructure, and SCADA systems is very much a critical issue.

    We would like to see some development to include capability for Deep Packet Inspection and control of industrial control protocols such as:

    Modbus TCP
    Ethernet/IP (CIP)
    OPC Classic (DCOM / RPC)
    Siemens S7
    DNP3
    etc.

    Inclusion of rules for these into IDS and would also be welcomed.

    A number of vendors approaching us are starting to get into this specialist area of the market and it would be great to see Sophos…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable/Disable SSL/TLS inspection per firewall rule

    In v18 of SFOS of my XG firewall, SSL/TLS inspection is a global on/off setting. I would like to be able to control the use of SSL/TLS inspection per rule instead of globally.

    I have an old copier trying to send secure emails and the inspection engine is erroring out with a timeout error. There is no way to make an exception for this. If could just create a new firewall rule so this copier could send out emails would be great while leaving SSL/TLS inspection enabled for all the other rules. v17 everything worked fine.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Please add back the Drop Silently feature

    Port 80 and Port 443 can’t be silently dropped by the firewall & logs incorrectly report traffic as “Accepted.” Even traffic that is "Dropped" gets a response form the firewall.

    Firstly this is nonsensical. After weeks of back and forth Sophos support told us this is the intended behavior. Sadly this behavior makes the log files misrepresent the action taken, all traffic that get a "Drop" action shows as "Accept" in the logs.

    Secondly it removes the first layer of protection. Normally we use "Drop" to silently hide from unwanted traffic and potential attackers, this "new feature" Sophos added eliminates…

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. make live changes on service rule to enable port forwarding

    allow making editable the services rule in hosts & services option while the rule is live.

    As if the site is live and we want to allow a new port on the server then we have to take it down first from the firewall rule then need to go to the services option and then it will allow us to change after that we are able to add the new port in rule

    It's not proper way if we want to take down our live site for a few min it will bad impression on business

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Netflow data over IPsec VPN

    Netflow data can travel on Ipsec vpn.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. firewall rules audit

    We are using XG115 firewall. Cybersecurity Auditor raised following queries.
    1) operator can see all the firewalls rules. there is no option to assign selected firewall rules to the operators. Alot of profile limitation.
    2) 4 eyes is not available whenever changes are done in the firewall.
    3) Mac address fails to work because of router and switches of layer 2/3 in between the network inspite of putting static mac address on the switch it still failed to work.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. country ipv6 lists

    Need to have Ip2country for IPv6 based hosts and IPv6 addresses per country. Also be able to list of networks in IP object like IPlist.

    18 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Utilize the weight value for WAN failover order of priority to become active

    Hello Team,

    We have customer here requesting to Utilize the weight value for WAN failover order of priority to become active. For your assistance please. Thank You

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Utilize  the weight value for WAN failover order of priority

    Hello Team,

    We have customer here requesting to Utilize  the weight value for WAN failover order of priority. For your assistance please. Thank You

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 12 13
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.