XG Firewall
Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.
-
Disable virtual mac address in HA mode
Running the Sophos XG firewall in high availability mode in a virtualized environment (where virtual MAC addresses are not supported) is currently not possible. Please implement a feature to disable the usage of virtual MAC addresses (similar to what the UTM does when using the command 'cc set ha advanced virtual_mac 0'.
Thanks.
15 votes -
Firewall rule re-ordering by using Up and Down buttons
Drag and drop for firewall rules seems to be unreliable on some browsers and can be difficult to do if using a tablet or trackpad.
Can we add the ability to click on "UP", "DOWN", "MOVE TO TOP" and "MOVE TO BOTTOM" buttons to move the selected firewall rule?27 votes -
RED Interface:"3G/UMTS Failover" setting is DHCP mode support
XG is Cellular WAN IF IP assign mode is support DHCP client
but RED WAN I/F is not supported.Please support similarly.
3 votes -
Enable to configure multiple VPN Zones
All of the zones of the VPN of the connection destination are the same and different policies can not be written.
14 votes -
Anti-portscan
XG does not have a anti-portscan feature. Please vote it!
566 votes -
Use Office365 MFA for VPN user authentication
It would be great to have integration of Office 365 multifactor authentication process (ability to use it to protect vpn connections for instance)
9 votes -
Device inventory
I suggest a view of devices on the network, divided by operating system and bringing the essential information such as host name, IP and MAC address, and which interface are connected.
39 votes -
Allow selection of CA Certificate to enroll SSL VPN User's certificate
It would be great to allow selection of CA Intermediate certificate used to enroll SSL PVN Users Certificates (like already done for Web Scanning)
10 votes -
Provide a way to check vulnerabilities for coverage by current IPS signatures
To assess ones current level of protection, being able to check coverage of known vulnerabilities (e.g. by CVE-ID) is desirable. Implementing a solution to lookup IPS-signatures for coverage of specific CVE-IDs would be helpful.
15 votes -
Orderly Shutdown of XG HA Cluster from GUI
Orderly Shutdown of XG HA Cluster from GUI
When the admin selects shutdown in the GUI if the XG Firewall is part of a HA arrangement either Active/Passive or Active/Active it would be a good idea to automatically conduct an orderly shutdown / restart of the HA cluster in a seamless manner. This could avert the potential for any corruption related to sync failures etc.7 votes -
Socks proxy
As in UTM 9.x there was an option to use the utm as socks5 proxy using port 1080, that was very helpful when you try to connect lan computers to remote servers over the internet without the need to open firewall rules o natting, ie. bank applications to transfer data between pc and bank office using secured channel instead of web browsing.
We used to run Hummingbird socks proxy client.38 votes -
Firewall rule filters should be persistent
If you filter firewall rules, then edit a rule, the filtering is lost and you have to re-apply the filter. This is a nightmare when you need to update 10 different firewall rules. Filtering should be maintained until it is cleared.
28 votes -
Multipath rules and same wieghting as SG
There is no ability on the XG to place Multipath rules or set the weight of an internet line to 0.
For example on the SG you can set a weight as 0 and then create a multipath rule to route certain traffic out via different gateways, and if that gateway goes down it automatically routes traffic out of the next.
This is a basic feature of any firewall.
11 votes -
Option to use QoS by Policy instead of user/group with Authenticated access
Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.
When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.
Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.
8 votes -
MAC based authentication
Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
Sophos support says, such a feature is not available. Please bring the feature back.Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only
74 votes -
Device Type and OS type detection, so can apply rule by it.
please we need to apply rules by device type or OS type.
which most of our customers ask for it, cause it included on other firewall.96 votes -
XG as OpenVPN client
The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.27 votes -
Support for DNScrypt
Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)
37 votes -
Weak hand shake - SSL VPN
Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/40 votes -
Native AWS VPC VPN Support
The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.
14 votes
- Don't see your idea?