XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Advanced Threat protection reolve bad urls to Sophos IP Address

    Palo Alto has a wonderful feature called DNS Sinkholing( https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/threat-prevention/dns-sinkholing#) where infected machines on the inside network that send dns requests external for malicous urls can be easily identified. This is achieved by resolving bad urls to a Sophos Public IP address and then every internal machine trying to access this IP is known to be infected with malware. Currently with Advanced Threat protection we can only see these DNS requests from the internal DNS server and not the end device which makes tracking down infected machines a much greater task.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. DHCP for IPSec, SSL-VPN static IP for user, capacity for adding more lease ranges or duplicate settigs for SSL VPN

    DHCP for IPSec,
    SSL-VPN static IP for user,
    capacity for adding more lease ranges or duplicate settigs for SSL VPN

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. FAILOVER - Time delay before reverting to ensure link stability

    In case we have automatic failover set and the primary link gets down, Sophos XG would change routes to the secundary link. So far all good. However, sometimes this main link is still facing problems and will get down again very soon. This instability will cause problems to the users.

    It would be good to have an option to set the time the primary link would become the main link again after it gets down. For example, only after 5 minutes the main link being up it would replace the secundary link.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Automatic Blacklisting and Reporting of Intruders

    Linux has a program called Fail2Ban which can monitor various system logs for events like failed login attempts and then act on those events by doing things like create black list entries in the firewall to block that IP address from accessing the firewall for a configured time period or semi-permanently. It also has the ability to notify the website https://www.abuseipdb.com/fail2ban.html of the intrusion. It would be very nice if Sophos could implement this or something similar in the XG.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. HA: Gateway failback timeout configuration in firewall

    Hi,

    When the Active gateway comes back online, traffic should fail back to the Active gateway within specific timeout option in seconds like Gateway Failover timeout.

    There should be an option for Gateway Failback timeout.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make outbound queries using DNS-over-https (DoH)

    DNS over HTTPS or DNS over TLS
    I know there is a feature request for DoT already but id like to add to that request by asking for the option to choose DoH or DoT?

    15 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Stick IP functionality for NAT Pools or any NAT rule

    Coming from a Juniper background, we have the functionality of "Sticky IP" (Junipers "Address-Persistent") for any NAT rule. In Sophos you can only do this if performing a load balance NAT to a webserver (KB:132277).
    It would be great to be able to do this in any NAT rule.
    Thank you

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Create and maintain a host group for all O365 services this can be updated with firmware updates?

    Create and maintain a host group for all O365 service IP's this can be updated with firmware updates?

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Show firewall rule details in Intrusion Attacks report

    Information about the firewall rule should be displayed under Intrusion Attacks report.

    It will help to filter out allowed attacks in case if the IPS logs are not available.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. 1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow port forward of TCP and UDP in same rule

    So there's a limitation currently where if you're making a DNAT rule, and you want to change the destination port number, you can't forward ports from both TCP and UDP to the same server using the same rule.

    For example, I have an environment where RDP traffic from specific external public IP addresses is forwarded from one of my public IPs to an internal server (via DNAT). RDP uses both TCP 3389 and UDP 3389, but my users connect on a different port number (52389), which I need to forward an internal server on 3389.

    I can create services to…

    17 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to apply UTM filters on traffic from Discover Interface so to create a report for POC

    Discovered traffic from Discover interface could be made more meaningful by applying web and application filters so to get some meaningful UTM reports not just application visibility for the new customer who wants to check the UTM capability of device before buying OR before device goes to inline production environment.
    Fortigate has some nice way with one-arm sniffer interface and sniffer firewall policy.
    It would definitely help sophos gaining more customers while doing POC

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Zone Groups

    It would be good to be able to build zone groups in a similar fashion to IP host groups, FQDN groups, service groups, etc. This would allow rules to include multiple zone sets quickly.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Two factor authentication for Active Directory synched under XG

    Hello Team,

    We have customer here requesting to have Two factor authentication for Active Directory synched under XG. For your assistance please. Thank You.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Auto-Quarantine devices that use proxy/bypass software

    For the people who using proxy tool to bypass the firewall , i hope that there an option to quarantine the ip who is using the proxy tool automaticlly .
    Like psiphone .

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Sophos Home Guard Hardware for (Home Users)

    i have idea for new hardware Called Sophos Home Guard It can connected to router to protect all connected devices (IOT) for (Home Users) it contain Firewall,web protection traffic watcher and more

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Overide Hostname - Multiple Hostnames/IP's

    To have the possibility of put multiple IP's on the "Override Hostname" configuration.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Firewall rules: Group of groups

    To have the possibility of create a group of groups. If I want to separate Business Rules in groups ordered by services, it would be helpful to put the groups of Business Rules in a group, in order to do not confuse Business Rules with Network/User Rules.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Choose interface IPs for built in services

    The XG does not allow the ability to choose which IP interface a built in service like VPN/IPsec and the SPX portal bind to. For example, I have a /24 public IP range, and in order for a NAT to function for outgoing traffic, I'm required to create an aliased IP address on the WAN link. Each and every aliased IP responds to requests on UDP 500 as the following (via namp or the nessus vulnerability scanner): 500/udp open isakmp StrongSwan ISAKMP.

    The fact that there may be rules in place in the VPN configuration to limit who can actually…

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Use host objects in route definitions

    Ability to use IP Host names (Console --> System --> Hosts and Services) in creating routes and gateways (Console --> Configure --> Routing).

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.