XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow ICMP request from WAN on Public Alias IP Address

    Hi,

    on WAN port we have multiple alias public IP Address. now i want to allow ping only particular alias IP Address from outside world to check the wether the Server is up or down purpose.

    so please include this feature XG Firewall.

    we have urgent requiremnt for this because we are in ISP businees so we want to allow ping request from any source.

    Regards,
    Kamal Patel

    24 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. packet tracer

    A feature like Cisco's ASA Packet Trace utility will be very nice. I like the XG firewalls but I really miss the Packet Tracer. Here's a little bit about it:

    https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

    I like it because you don't need to setup test hosts - the test packet virtually injected from the appliance itself.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. single sign on for Bookmark in Clientless Access VPN

    XG cannot forward the user identity from User Portal to Bookmark in clientless access VPN.
    At the moment, we have to configure a shared login credential (Automatic Login) for Bookmark.
    It would be better if XG retrieve user information from a User Portal session and forward it to a Bookmark.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Policy grouping or dividing lines

    By adding a lot of policies the GUI is getting very confusing.
    I would like a grouping feature and/or the possibility to add some dividing lines between policies so I can make it more enjoyable to read.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Implement avahi to make life a **** of a lot easier

    When you have a network will apple products you will soon relise that unless they are on the same subnet they will refuse to see each other, this is because bonjour just refuses to work over subnets.

    avahi can solve this but don't really see the point in setting up a server running linux to do such a small task which should be added into Sophos itself.

    I saw a feature request just like this for UTM 9 and the was no response from an admin, seeing as XG is a new platform I am hoping this feature might actually…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Firewall rule with content/application matching for custom QoS/Gateway configurations

    Allow firewall rules to "match" by application, and thus permit custom routing/qos. E.g (Streaming out lower cost WAN1, VoIP out faster/more expensive WAN2)

    This would be (layer7) application based (Not Subnet/Port based)

    10 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Top usage monitoring of Gateway

    Please provide an option to monitor top users on a particular Gateway (ISP). Scenario is as follows;
    1. An organisation with multiple ISP links
    2. WAN zone graph of a particular ISP is displaying peak usage
    3. Admin wants to know who is consuming the max through the particular gateway

    Current option in Sophos displays only the max user globally. It does not gives ISP based usage.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Mail field

    Email field user in the Sophos XG imports only 63 characters when it is imported from Active Directory. this is bad, we need more positions.

    I reported to the support, but said to post here!

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. builtin default ssl exception list

    Have a default ssl exception list. If you've already identified an app won't work with ssl scanning then it should be automatically added. apps like twitter, imessage, apple appstore, etc.. all don't work with decrypt and scan on. Why put users through the trouble of trying to get it to work when you already know it won't.

    I've added a link to show how palo alto does it, which I think is a good way of achieving this.

    https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-Decryption/ta-p/62201

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Service definition in inbound rule

    Currently with Non-Http based business policy no option to define service/application that a particular port is allowed to communicate to hosted server.For instance if we have 1 to 1 nat defined to host a mail server from wan &I want only SMTP &PING inbound-Xg firewall don't have option.Feature requested is for application parameter definition over present port mapping in a non-http based business rule similar to what we seen in competitions like fortigate which offers flexibilty to define port in virtual ip as well option to specify application in firewall rule

    47 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Client Authentication Agent Update Push

    This is an idea for having future CAA agents detect newer versions available typically after a SFOS upgrade and prompt the user to update (or allow auto update). In the past I've had to manually update client authentication agents in the field after each release. The other sticking point is while the client_auth_agent.exe is digitally signed it does not include the product version number which makes identifying the version a bit tricky. However having the CAA auto-update (maybe from an admin checkbox on the UI) would save the time of the CAAs in the field on getting the absolute latest…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. add support for DNSCrypt protocol using dnscrypt-proxy

    This is an idea to add support for the DNSCrypt protocol using dnscrypt-proxy which protects against man-in-the-middle attacks.

    The github source is here:
    https://github.com/jedisct1/dnscrypt-proxy

    Thanks.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add OpenConnect AnyConnect Pulse SSL VPN server

    This is an idea to add the actively developed and open source OpenConnect server package to the XG Firewall. https://gitlab.com/ocserv/ocserv

    The OpenConnect server is compatible with CISCO's AnyConnect and Juniper PULSE (Secure) SSL clients. Thanks.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. True Network DLP

    DLP works quite well on Email but it is time to implement it even on Web. I would like to be able to know what my users are uploading to Cloud, DropBox and Webmail and decide to stop and log or log only. Also VPN client should be able to talk with XG and scan what users download from the company to their pc and block unauthorized content.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. WAN without gateway

    Earlier on SG, we used to have options to check if gateway is available on any interface but on XG it is compulsory to keep gateway on WAN which is quite annoying while having L2 links connecting its numbers of offices where I need IPsec VPN.

    27 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Decryption Port Mirroring

    The Decryption Port mirror feature provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures–such as NetWitness or Solera–for archiving and analysis. This feature is necessary for organizations that require comprehensive datacapture for forensic and historical purposes or data leak prevention (DLP) functionality.

    27 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Predefined Objects for (IP Range + Standard Services, Ports)

    I could improve my overall network security, by limiting Services/Ports to specific IP Ranges. A predefined set of IP Ranges altogether with standard ports, would be very helpful and ease up the whole XG configuration. For instance, My users have access to specific ports only for the IP Ranges of Apple, Microsoft, Google and Akamai. Given this, only Port 80 and 443 remains open from LAN to WAN for all other IP's. I think for 80% of all Small Businesses with some adjustments, this configuration should work out of the box.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow access to google hangouts

    Allow access to google hangouts

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Edit/Delete default IPS rules

    XG comes with IPS built-in rules and cannot be customized or deleted. At least allow us to customize them in order to add/remove Signature.
    I always like to keep the Appliance as clean and light possible and I would like to delete default IPS rules too.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Filter firewall rules for zones

    Filter firewall rules for zones. We can filter it, but the filter is gone if you change the menu. The best solution for me was the Cyberoam layout, with the rules separated by zone. If not possible, please make possible to make the filter stay there even if we log out of firewal..

    19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.