XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. XG is not working to perform hair pinning. now a days so many device to access internaly by global ip without fqdn so enable this feture

    XG is not working to perform hair pinning. now a days so many device to access internaly by global ip without fqdn so enable this feture

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. STAS allow un autherised users to access the internet

    STAS to allow unauthenticated users internet access. We use STAS to map ~IP against users for web use monitoring, we don't want to restrict non authenticated users or annoy them with having to login to the XG.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Hairpining

    Can automatic NAT hairpining be built into SFOS automatically like it is in UTM? Very frustrating to have to create hairpin rules in order to access published servers from behind the same XG firewall. The best solution I've found to date is to set the source zone as "any" on the business rule governing the DNAT for the published service, however, that masks the true source IP address for any device on the outside accessing that published service because the firewall translates the source to it's own IP address. That makes it impossible to filter and restrict access to some…

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. reset firewall hit counter

    reset the firewall hit counter, not only after reboot

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Inside activation Firewall Rule

    If a Firewall Rule (User/Network Based) is disabled, it would be nice to have the option to activate it inside of rule configuration aswell.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Multiple IPS in Business Application Rules

    When creating a Business Application Rule as a NAT, to have the option to choose more than just one IP Address to receive the connection.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Advanced NAT options for firewall rules

    I have seen multiple forum posts about this and there's also some feature requests that all come down to the same issue: managing NATs kind of sucks on the XG!

    On a user rule, the only thing we can do is masquerade. That's not always useful. There's no way to control DNAT and SNAT options in a good way. We don't have a proper way to set up a 1-to-1 NAT for a full network other than creating two business rules that are really not made for this purpose. It's completely unintuitive and not well designed.

    The Network Address Translation…

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Nat on different Tab not on firewall rules

    Nat on a different TAB, like SG version,
    It will be great to use and categorize rules by selecting NAT SNAT,DNAT,1:1 NAT.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Zero Firewall Rule Traffic Counter

    Very simple, have an option to zero the traffic counter on a firewall rule.

    87 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Port 80 and Port 443 is not blocked by the firewall

    In default configuration without any workaround Port 80 and Port 443 is not block;
    That behaviour is also there when you enable an explicit drop rule;

    Instead of blocking the traffic the XG Firewall says on both web Ports "Hello I´m a Sophos XG Firewall". The behaviour is the Proxy function and It is there by design.
    (The behaviour is also from outside)

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 to 1 Subneted NAT

    for any firewall that´s is used in a corporation, it must implement 1 to 1 subnet to a subnet NAT.
    in fact allowing traffic in both sides.
    for security is uses a firewall Policy.

    As it was in UTM, NAT is a must in any circumstance. Administrators must have more flexibility to implement any type of NAT, they must not be tamed by the type that firewall forces them to use.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Sandstorm / IPS scanning

    Sandstorm will only scan HTTP on TCP 80 and HTTPS on TCP 433. The IPS/IPD system within the XG system should be proactive and understand when a HTTP/HTTPS transactions are happening and allow Sandstorm scanning.

    We have many web servers within our DMZ and they can use non-standard TCP ports for their connections. This means a large percentage of files are not being processed by Sandstorm.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow SSL site to site and Remote access simultaneous

    SSL tunnels are excellent for remote use as well as site-to-site, but XG currently is limited to only one of them functioning at any one time. this should be changed!

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. firewall rule edit

    For SFOS V17-Beta

    While in V16.05 Firewall Rule, we were able to EDIT the Rule by clicking on main Rule page directly but in V17 need to click on "..." Icon then need to edit,clone for firewall rule, please keep this as same was there in V16.05.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Synchronizing PPPoE sessions

    In SFOS version 16.05.4 MR 4, PPPoE sessions in HA mode are not synchronized.
    PPPoE goes down and reconnects when switching occurs from Primary
    PPPoE sessions are not inherited, so there is no point in configuring HA.

    Make sure PPPoE sessions are synchronized.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Negate Objects in the Firewall Policy

    In the Firewall Policies, I miss a feature to negate an object inside a rule.

    So for example I could define in a single rule: Whole of Zone LAN is allowed as destination, but not the objext "Server xy"...
    Or Any Service is allowed, but not SQL

    In the policy change view, I have two action-icons: One for editing and one for removing it. A third Icon of negating would make the UI-part (and the object then could be seen as striked through or similar...).

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Smtp malware scanning support with user / network policy

    Smtp malware scanning support with add user/network policy

    Not scan smtp malware with user / network policy.
    I want this function to be supported

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Transparent Subnet Configuration

    It would be great if Sophos XG would allow you to created a transparent interface like SonicWall does. https://support.sonicwall.com/kb/sw5979. Sophos currently only supports using a bridge interface or proxy ARP to achieve this which is not as easy or clean as SonicWall's method.

    https://community.sophos.com/kb/en-us/123524
    https://community.sophos.com/kb/en-us/123525

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. increase the limiation of maximum thinclient

    Please increase the limitation of 64 maximum thinclients, as some customer has more than 64 Citrix servers.
    256 would be a good number.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow wildcard subdomains in Firewall rules

    Firewall packet filtering based on wildcard subdomains and reverse DNS resolution.

    We would like to allow/deny connections based on a wildcard subdomain (think *.example.com). Only way to do that is to reverse DNS the destination IP and allow/deny based on the wildcard rule?
    Although there is the common possibility that the reverse DNS is not the same as the A or CNAME record requested, so I'm not sure how useful that would be.

    But, we would really appreciate the ability to filter based on wildcard subdomains.. like *.update.microsoft.com. See:
    https://technet.microsoft.com/en-us/library/bb693717.aspx

    93 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.