To assess ones current level of protection, being able to check coverage of known vulnerabilities (e.g. by CVE-ID) is desirable. Implementing a solution to lookup IPS-signatures for coverage of specific CVE-IDs would be helpful.

Orderly Shutdown of XG HA Cluster from GUI
When the admin selects shutdown in the GUI if the XG Firewall is part of a HA arrangement either Active/Passive or Active/Active it would be a good idea to automatically conduct an orderly shutdown / restart of the HA cluster in a seamless manner. This could avert the potential for any corruption related to sync failures etc.

As in UTM 9.x there was an option to use the utm as socks5 proxy using port 1080, that was very helpful when you try to connect lan computers to remote servers over the internet without the need to open firewall rules o natting, ie. bank applications to transfer data between pc and bank office using secured channel instead of web browsing.
We used to run Hummingbird socks proxy client.

If you filter firewall rules, then edit a rule, the filtering is lost and you have to re-apply the filter. This is a nightmare when you need to update 10 different firewall rules. Filtering should be maintained until it is cleared.

There is no ability on the XG to place Multipath rules or set the weight of an internet line to 0.

For example on the SG you can set a weight as 0 and then create a multipath rule to route certain traffic out via different gateways, and if that gateway goes down it automatically routes traffic out of the next.

This is a basic feature of any firewall.

Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.

When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.

Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.

Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
Sophos support says, such a feature is not available. Please bring the feature back.

Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only

please we need to apply rules by device type or OS type.
which most of our customers ask for it, cause it included on other firewall.

The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.

We have a Requirement for having a Surfing Quota option for Clientless users . This would block all Web traffic instead of Logging out the user from Live connections .Since its Clientless but with benefits of an Client based users.

XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
Thanks

SSL Client APP for Android / IOS

Sophos should develop its own APP for mobile devices instead of using openvpn app, which is currently causing connectivity problems with Sophos XG SSL VPN. Competitors like Fortinet, SonicWall etc have their own app.

VPN tunnel (both SSL and IPSEC) does not revert to its primary WAN interface, manual disable and reenable the Failover group/SSLVPN Client status for the tunnel to be established via Primary WAN interface.

it would be great to allow user to add their own bookmarks or to allow group bookmark AND user bookmarks on admin interface for a given user.
at the moment, you can only give access to a group bookmark.

since SMB bookmark seems to need authentification (at least i was not able to make them work without automatic login), each user needs a different group of bookmarks!
it's a mess and a considerable amount of work.

Hi,

on WAN port we have multiple alias public IP Address. now i want to allow ping only particular alias IP Address from outside world to check the wether the Server is up or down purpose.

so please include this feature XG Firewall.

we have urgent requiremnt for this because we are in ISP businees so we want to allow ping request from any source.

Regards,
Kamal Patel

A feature like Cisco's ASA Packet Trace utility will be very nice. I like the XG firewalls but I really miss the Packet Tracer. Here's a little bit about it:

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

I like it because you don't need to setup test hosts - the test packet virtually injected from the appliance itself.