XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Request to support Verizon network for USB dongle under XG

    Hello Team,

    We have customer here requesting to support Verizon network for USB dongle under XG.
    As Verizon, unable to see Sophos XG on their end when they connect dongle with verizon network

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. IPsec NAT

    IPsec NAT: we need the possibility to NAT several local subnets to only one NAT-address and not 1 local subnet to 1 NAT-address. So that the remote peer has to configure only one ip-address as remote subnet.

    This is still working with an unsupported workaround. One snat firewall rule translates all our subnets to one ip-address which is part of "Local Subnets" in the affected ipsec connection. To get routes and snat working correctly, we've added an ipsec_route on xg CLI.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Deep SSH inspection

    Much like SSL inspection, Sophos should integrate SSH inspection for additional protection layers.

    For instance, inspecting and scanning the following SSH protocol features: Exec, Port-Forward, SSH-Shell, X11-Filter. This should scan for all SSH-like activity, not exclusive to the standard SSH port.

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Suggestion - Do a write up on Setting up a printer behind the firewall on the Lan side

    Suggestion - Do a write up on Setting up a printer behind the firewall on the Lan side

    I would like to see a simple write up on how to set up a printer

    to be safely accessible by other machines on the network. It is a really common that most offices need to do. I don't think it should be this difficult.

    The printer should allow prints and still be safe from intrusion.

    My specific instance is a brother lazer printer with a scan option. Which would need two way traffic.

    I might also suggest simple setups for or…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Option to change default port 8090 for captive portal

    Customer is requesting to have option on XG to change the default port 8090 for captive portal as they have web server that will be deploying using port 8090

    19 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Subscribe to Microsoft Expressroute addresses

    Creating definitions and firewall rules to allow traffic through an Express route link is exceptionally tedious at the moment as there are dozens of IP addresses and they can change.
    Microsoft did have an XML feed and now has an API feed that can be used to pull the information.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. For the IPS Detection on Attachment of the Email, have option to remove only the attachment and have the email to be delivered

    For the IPS Detection when receiving email attachment which matches IPS signatures set to drop, kindly have option to remove only the attachment and have the email to be delivered or just modify the email subject

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow auto-list update for BOGON and similar 3rd party maintained lists

    CYMRU maintains a great BOGON list that can be used to create FW rules which are used to keep BOGON traffic out of the network. This list is dynamic in nature and manual maintenance is cumbersome. It would be great if the XG could be configured to reference this list in a given FW rule and also automatically update the list with no manual intervention.

    Finally, this feature should be designed to use any 3rd party list and not just the BOGON list.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Configure the UDP session timeout (ip_conntrack_udp_timeout)

    Allow an option to increase the UDP timeout in the XG console from 30 seconds, editing the /proc/sys/net/ipv4/netfilter/ipconntrackudp_timeout

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add signature exclusions to IPS Policies

    Currently, you can only filter to select an entire set or subset of IPS signatures within an IPS Policy.

    There is no way to exclude a signature from an IPS Policy.

    We would much rather include all signatures that fall under a certain category (e.g. Web Applications) as one policy entry, and then add a "whitelist" exclusion of false-positives as a secondary policy entry.

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Customize IPS Signature Age rules

    Grant us the ability to alter the "age-out" option for IPS rules, similar to what existed in the UTM. Given the signature count differences between the XG750 vs lower models, we see this age -out happening behind the scenes. We would like this under or control.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add support for HIP (Host Identity Protocol)

    Add the HIP protocol to your product and you will be the first in the Enterprise sector to do so. Currently there is but one player in this revolution in network security, Tempered Networks. While their product are aimed at the critical infrastructure vertical (as was Cyberoam at one point) the technology could be easily applied to almost any network.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. ATP and internal DNS server reporting

    Allow for a internal DNS server plug-in that allows integration into ATP. If ATP picks up an event triggered by the internal DNS server, the requesting IP is also captured in the log.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Nos of public ips to match with nos of internal local ips

    I want to have multiple Public IPs to be mapped with internal multiple local IPs as when I am creating it then its saying "Number of IP addresses in external IP range and mapped IP range do not match" .

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow IPS signatures to be allowed without logging

    Currently, if packets are allowed in the IPS, they are unconditionally logged and show up in the report as an "attack".

    If you drill into the report, you can see that they are "attacks detected and allowed", however they drown out any real attacks that share any of the following:
    - Attack Category
    - Attacked Platform
    - Attack Targets
    - Severity
    - Intrusion Source
    - Intrusion Destination
    - Applications used for attacks
    - Source Countries
    - Etc

    Please implement either:
    1) Filtering in the Report to specifically show "Attacks" only or "Attacks Detected and Allowed"
    2) Disabling logging of "Allowed…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make outbound queries using DNS over TLS

    Based on comments on this item, the request is for XG Firewall to use DNS over TLS to make outbound DNS queries over an encrypted channel.

    If you want to support adding the ability for XG Firewall to be a server for DNS over TLS requests from other devices or endpoints, please create or support a separate idea submission. Also, DNS over HTTPS is covered in a different item: https://ideas.sophos.com/admin/v3/ideas/37437661/

    176 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. total actual bandwidth is not showing correctly in current activities- live connections per ip which is the most critical part which sophos

    total actual bandwidth consumption is not showing correctly in current activities- live connections per ip which is the most critical part which sophos is missing. it has to be resolved immediately . the same feature was working perfectly in cyberoam cr 25ing

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add DHCP options including from number 77 to 255 to command-line dhcp config

    Hello Team,

    We have customer here requesting to to display all the DHCP option including from number 77 to 255 to the shell of the UTM. Currently will only display option numbers 1 to 76 but supports all 255 option objects. For your assistance please.

    Thank you.

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Blocked broadcast events in firewall log should not be in "Appliance Access" category.

    Broadcast events in firewall log are under "Appliance Access" category. This causes alarms on SIEMs. Whitelisting these in SIEMs could detect prevention of an actual brute-force appliance access attack.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. MAC authentication for SSL VPN

    Need MAC based authentication for SSL VPN connecting devices to enhance the security level and to protect the office network

    27 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.