XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Allow to enter a partial MAC-Address to filter for Vendors
It would be great to be able to enter a partial MAC-Address as eg. 00:1A:E8:* within the MAC Address Definition section.
The MAC-Address in this example would involve every device from the vendor Unify.1 vote -
Allow netflow to be assigned to a specific zone
It would be great to be able to assign the netflow service to zones the same as you can with most other services: SNMP, SSL portal, ping, user portal, etc..
You cannot truly segregate all management traffic/duties with the current implementation without rewiring the default Lan port to be a dedicated management interface1 vote -
Ghost ip detection
We are using DHCP server from our XG firewall. IP leasing setting is 12 hrs. I am looking for some tools from which i can find the ghost IP ( IP which is not active) and clear it up from the DHCP pool in order to assign to new connection.
Secondly I want to know that how can i make a rule that if a device is not authorized to access internet should not get the IP from the DHCP server.
1 vote -
Block IPv6 UDP fragmentation
Currently, on XG firewalls one can disallow fragmented traffic via the CLI (fragmented-traffic deny). But this cannot be reduced to IPv6 UDP traffic only.
1 vote -
set group of wan links to perform load balancing
we need in the future to be able to set a group of WAN Links to performing load balancing
Example
I have 6 Wan links from different ISP's ( Vodafone, WE, TE-DATA, Nour, Orange, and Etisalat)
we need to be able to make ( Vodafone, We, and TE-DATA ) perform load balancing to serv specific Subnet and create another load balancing with the rest of ISP's ( Nour, Orang, and Etisalat ) to serv another subnet1 vote -
Dhcp lease Export in one Excel File
It is submitted that in the firewall the DHCP Lease can not be download properly due to this admin user has facing the problem. So your are requested to please provide the function to import excel file of all DHCP Lease IPv4 so that all lease can be downloaded easily and maintain the DHCP logs by the admin user properly. Firewall>Network> DHCP>IPv4
1 vote -
OP Manager Compatibility with XG
Customer wanted to have the OP manager compatibility with XG Firewall
3 votes -
Ability to Traffic Shape & QoS Specific Interface
Hello!
It has become apparent for us to try and implement Traffic Shaping rules for specific interfaces - in our example, we have a site which has many RED Branch Offices. These branch offices appear to be causing high utilization on our available WAN usage.
Currently, to create a Traffic Shaper or QoS rule we'd need to define it within "System services > Traffic shaping" and then apply this to a firewall rule under "Rules and policies > Firewall rules > [[Edit Rule]] > Other security features > Shape traffic".
This works great for when you have a specific service…
7 votes -
Services need to be modify without removing from rule
In the current firmware , if want to modify a service means i have to remove from all rules which is related this service. So this should be update the upcoming firmware. Services need to be modify without removing from rule
3 votes -
Network Map
I suggest the implementation of network map visualization to watch os type, hostname, IP, open ports and manage their network access.
2 votes -
WAF Source Filter by FQDN
Currently WAF rules can only have their source filtered by IP or by Network, while regular DNAT rules can be filtered by IP, IP Range, IP List, MAC Address, MAC List, Host Group, Network, FQDN Host, FQDN Host Group, or Country Group.
I'd like the functionality of the WAF source filter to be expanded to have the same capabilities as a full DNAT rule.
I'm specifically after the FQDN host so we can filter and use DynDNS hostnames but the other things would be handy as welll
1 vote -
Support for Industrial Control and Automation Protocols (SCADA) in DPI / IDS
Idea originally posted by TheMachineWhisperer in 2018 but never responded to by Sophos.
Security for industrial automation, critical infrastructure, and SCADA systems is very much a critical issue.
We would like to see some development to include capability for Deep Packet Inspection and control of industrial control protocols such as:
Modbus TCP
Ethernet/IP (CIP)
OPC Classic (DCOM / RPC)
Siemens S7
DNP3
etc.Inclusion of rules for these into IDS and would also be welcomed.
A number of vendors approaching us are starting to get into this specialist area of the market and it would be great to see Sophos…
3 votes -
Enable/Disable SSL/TLS inspection per firewall rule
In v18 of SFOS of my XG firewall, SSL/TLS inspection is a global on/off setting. I would like to be able to control the use of SSL/TLS inspection per rule instead of globally.
I have an old copier trying to send secure emails and the inspection engine is erroring out with a timeout error. There is no way to make an exception for this. If could just create a new firewall rule so this copier could send out emails would be great while leaving SSL/TLS inspection enabled for all the other rules. v17 everything worked fine.
5 votes -
Please add back the Drop Silently feature
Port 80 and Port 443 can’t be silently dropped by the firewall & logs incorrectly report traffic as “Accepted.” Even traffic that is "Dropped" gets a response form the firewall.
Firstly this is nonsensical. After weeks of back and forth Sophos support told us this is the intended behavior. Sadly this behavior makes the log files misrepresent the action taken, all traffic that get a "Drop" action shows as "Accept" in the logs.
Secondly it removes the first layer of protection. Normally we use "Drop" to silently hide from unwanted traffic and potential attackers, this "new feature" Sophos added eliminates…
4 votes -
make live changes on service rule to enable port forwarding
allow making editable the services rule in hosts & services option while the rule is live.
As if the site is live and we want to allow a new port on the server then we have to take it down first from the firewall rule then need to go to the services option and then it will allow us to change after that we are able to add the new port in ruleIt's not proper way if we want to take down our live site for a few min it will bad impression on business
1 vote -
Netflow data over IPsec VPN
Netflow data can travel on Ipsec vpn.
1 vote -
firewall rules audit
We are using XG115 firewall. Cybersecurity Auditor raised following queries.
1) operator can see all the firewalls rules. there is no option to assign selected firewall rules to the operators. Alot of profile limitation.
2) 4 eyes is not available whenever changes are done in the firewall.
3) Mac address fails to work because of router and switches of layer 2/3 in between the network inspite of putting static mac address on the switch it still failed to work.2 votes -
country ipv6 lists
Need to have Ip2country for IPv6 based hosts and IPv6 addresses per country. Also be able to list of networks in IP object like IPlist.
18 votes -
Utilize the weight value for WAN failover order of priority to become active
Hello Team,
We have customer here requesting to Utilize the weight value for WAN failover order of priority to become active. For your assistance please. Thank You
1 vote -
Utilize the weight value for WAN failover order of priority
Hello Team,
We have customer here requesting to Utilize the weight value for WAN failover order of priority. For your assistance please. Thank You
1 vote
- Don't see your idea?