Running the Sophos XG firewall in high availability mode in a virtualized environment (where virtual MAC addresses are not supported) is currently not possible. Please implement a feature to disable the usage of virtual MAC addresses (similar to what the UTM does when using the command 'cc set ha advanced virtual_mac 0'.

Thanks.

Drag and drop for firewall rules seems to be unreliable on some browsers and can be difficult to do if using a tablet or trackpad.
Can we add the ability to click on "UP", "DOWN", "MOVE TO TOP" and "MOVE TO BOTTOM" buttons to move the selected firewall rule?

XG is Cellular WAN IF IP assign mode is support DHCP client
but RED WAN I/F is not supported.

Please support similarly.

All of the zones of the VPN of the connection destination are the same and different policies can not be written.

XG does not have a anti-portscan feature. Please vote it!

It would be great to have integration of Office 365 multifactor authentication process (ability to use it to protect vpn connections for instance)

I suggest a view of devices on the network, divided by operating system and bringing the essential information such as host name, IP and MAC address, and which interface are connected.

It would be great to allow selection of CA Intermediate certificate used to enroll SSL PVN Users Certificates (like already done for Web Scanning)

To assess ones current level of protection, being able to check coverage of known vulnerabilities (e.g. by CVE-ID) is desirable. Implementing a solution to lookup IPS-signatures for coverage of specific CVE-IDs would be helpful.

Orderly Shutdown of XG HA Cluster from GUI
When the admin selects shutdown in the GUI if the XG Firewall is part of a HA arrangement either Active/Passive or Active/Active it would be a good idea to automatically conduct an orderly shutdown / restart of the HA cluster in a seamless manner. This could avert the potential for any corruption related to sync failures etc.

As in UTM 9.x there was an option to use the utm as socks5 proxy using port 1080, that was very helpful when you try to connect lan computers to remote servers over the internet without the need to open firewall rules o natting, ie. bank applications to transfer data between pc and bank office using secured channel instead of web browsing.
We used to run Hummingbird socks proxy client.

If you filter firewall rules, then edit a rule, the filtering is lost and you have to re-apply the filter. This is a nightmare when you need to update 10 different firewall rules. Filtering should be maintained until it is cleared.

There is no ability on the XG to place Multipath rules or set the weight of an internet line to 0.

For example on the SG you can set a weight as 0 and then create a multipath rule to route certain traffic out via different gateways, and if that gateway goes down it automatically routes traffic out of the next.

This is a basic feature of any firewall.

Today it's not possible to create more than one rule for authenticated users that specify different QoS policies.

When a rule is marked to match authenticated users, the QoS policy selection is disabled as it is inherited from the user/group.

Instead, the system should allow the administrator to define if the user default policy or a stand-alone QoS policy will be applied to the access.

Give option to restrict a user accessing internet from specific MAC address only. Current in 16.05 there is option shown in Authentication > Users > Details, but it does not work.
Sophos support says, such a feature is not available. Please bring the feature back.

Summary: Restrict a user from a particular MAC address. User should able to login to internet/UTM from this MAC address only

please we need to apply rules by device type or OS type.
which most of our customers ask for it, cause it included on other firewall.

The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.