The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.

We have a Requirement for having a Surfing Quota option for Clientless users . This would block all Web traffic instead of Logging out the user from Live connections .Since its Clientless but with benefits of an Client based users.

XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
Thanks

SSL Client APP for Android / IOS

Sophos should develop its own APP for mobile devices instead of using openvpn app, which is currently causing connectivity problems with Sophos XG SSL VPN. Competitors like Fortinet, SonicWall etc have their own app.

VPN tunnel (both SSL and IPSEC) does not revert to its primary WAN interface, manual disable and reenable the Failover group/SSLVPN Client status for the tunnel to be established via Primary WAN interface.

it would be great to allow user to add their own bookmarks or to allow group bookmark AND user bookmarks on admin interface for a given user.
at the moment, you can only give access to a group bookmark.

since SMB bookmark seems to need authentification (at least i was not able to make them work without automatic login), each user needs a different group of bookmarks!
it's a mess and a considerable amount of work.

Hi,

on WAN port we have multiple alias public IP Address. now i want to allow ping only particular alias IP Address from outside world to check the wether the Server is up or down purpose.

so please include this feature XG Firewall.

we have urgent requiremnt for this because we are in ISP businees so we want to allow ping request from any source.

Regards,
Kamal Patel

A feature like Cisco's ASA Packet Trace utility will be very nice. I like the XG firewalls but I really miss the Packet Tracer. Here's a little bit about it:

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

I like it because you don't need to setup test hosts - the test packet virtually injected from the appliance itself.

Allow firewall rules to "match" by application, and thus permit custom routing/qos. E.g (Streaming out lower cost WAN1, VoIP out faster/more expensive WAN2)

This would be (layer7) application based (Not Subnet/Port based)

This is an idea to add the actively developed and open source OpenConnect server package to the XG Firewall. https://gitlab.com/ocserv/ocserv

The OpenConnect server is compatible with CISCO's AnyConnect and Juniper PULSE (Secure) SSL clients. Thanks.

Earlier on SG, we used to have options to check if gateway is available on any interface but on XG it is compulsory to keep gateway on WAN which is quite annoying while having L2 links connecting its numbers of offices where I need IPsec VPN.

The Decryption Port mirror feature provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures–such as NetWitness or Solera–for archiving and analysis. This feature is necessary for organizations that require comprehensive datacapture for forensic and historical purposes or data leak prevention (DLP) functionality.

XG comes with IPS built-in rules and cannot be customized or deleted. At least allow us to customize them in order to add/remove Signature.
I always like to keep the Appliance as clean and light possible and I would like to delete default IPS rules too.

I think that VPN SSL Remote connection needs to have a custom imput filed where we can inser the Firewall FQDN or Pubblic IP that we want to have on the vpn config file that users can daownload from Web User portal.
If you have firewall behind a NAT or multiple WAN you colud choose the VPN SSL Wan interface o bypass NAT problems.

It would be awesome if you could make the link for an Attacker's IP address take us to a place like CentralOps.net or even the built-in tools so we can reverse DNS the IP address to figure out if the threat is credible or not. Also awesome would be the ability to then block that attacker permanently by creating a firewall rule to reject traffic from that specific address with a simple button click.

It's was a good idea to create just email authentification in Hotspot and to have report with all mail. Free Wifi is good but a lot of Customer want to have a revenu with free wifi.

We have more customer with many branches and two or more Internet connection. We want to enable a Singla VPN SA that could be terminated on two differents Peer IPSec Gateway, so we can create a reliable VPN Connection that can use two different Internet connection, depend on what we can specify as first and second Remote Peer VPN.

IPS provides the ability to define custom signatures
Objects > Content > Custom IPS Patterns
(http://docs.sophos.com/nsg/sophos-firewall/v15010/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FAppendixB.html)
Please add this feature also to the Application List.

Regards
Sebastian