XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for cipher suite in Cyberoam OS

    Add a support to ciper suit TLSECDHERSAWITHAES128GCM_SHA256 -

    {0xC0,0x2F} in Cyberoam OS

    88 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Quota on Web

    The administrator must able to reset the Quota for a user.
    This option was working fine on the UTM but is not available in the XG.

    The Quota is only good working wen I can set Quota on a user activities group.
    And in this group are categories.
    And a user can be in different groups on the XG.

    So you have a group whit free internet for work and a group whit Quota internet for pause or fun.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Sandstorm to show every request to help debugging

    Sometimes I find Web sites that appear to be unresponsive unless I add an exception to the XG to skip Sandstorm scanning for them (or create a clone rule that has "Scan for zero-day threats with Sandstorm" disabled.) I spent over three hours with Sophos tech support trying to figure out why this was happening because nothing was showing in the sandboxd log, and it couldn't be set to debug log level to confirm if this is a bug or if Sandstorm is working as designed.

    So please add a debug log level option to sandboxd and allow it to…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. allow exclusions for certificate validation

    for Web Protection it would be good to have the option to download / exclude certificates for certificate Validation (Block invalid certificates in General Settings).
    the setting like we have in SWA is missing in XG: http://wsa.sophos.com/docs/wsa/webhelp/swa/tasks/ConfigGlobalPolCertValidAddFromWeb.html

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Quota Time in actions (Policy Web Protection)

    add the option Surfing Quota in actions in the policies of the web protection as already exists in the UTM

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. surfing quota

    Sophos XG's time based quota works on logon time and session. When a user logs on to a machine the session will start and the quota will be triggered.

    If a user has granted web surfing Quota of Daily 1 hour Cyclic and he logons his PC at 9:00 hrs then his quota will expired at 10:00 hrs whether he has used Internet or not.

    As per the support team this is not possible right now and suggested a feature request.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Web Category and Reputation Override like UTM

    On UTM we have the Web Category and Reputation override. This can help to add additional URL/Domains to proper category so even the reports match. On XG this is not possible. I guess this feature should not be so hard to implement. I really like the XG web section. Thanks

    35 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Per-policy control for SafeSearch

    Please provide the option to enable/disable Safe search and youtube restricted mode per policy.

    In schools we need the ability to enable/disable the safesearch and youtube restricted mode based on the policy for individual user groups rather than globally while at the same time as having web category filtering.

    For example we would like to turn safesearch mode and youtube restricted mode off for certain staff groups but while maintaining the category filtering, where as students we want safesearch and the youtube restricted mode on at all time.

    88 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    13 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Category based surfing quota

    We have a request about surfing quota based on a specific category or categories. Right now, this is fuction is available for the general internet but not for a specific category. For instance, we need to restrict the users for accessing to social network websites about an hour a day. After they fill one hour allowance to social networking sites, they will not be able to reach to social networking but they will be able to use their usual internet usage.
    This function is available for other firewall brands and it is really necessary for some customers. I hope you…

    31 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Separating “YouTube Restricted Mode” from "Enable SafeSearch" feature

    Separating YouTube "Restricted Mode" from "Enforce Safe Search" option in XG Firewall would allow much more flexibility for customers.
    YouTube "Restricted Mode" is currently just too “restricted” (not usable) and customers should have possibility to turn it on or off without impact on SafeSearch.
    On the other side, SafeSearch is very useful feature that customers would probably have always on.

    97 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Disable web caching by default on XG firewalls

    Nowadays it is very rare to use web caching given the speeds/bandwidth of todays networks. This feature is on by default on the XG firewall - most products no matter the vendor has this option disabled.

    Caching often causes issues more issues than benefits and can often break webpages and is something overlooked.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. user agent

    Hello,

    I would like to have our proxy log all User Agent strings and possibly the referrer. This is a great way to see what is making network connections out and helps with root cause analysis. This is also import information when performing incident response.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. web realtime scanning notification

    When I switch the Webprotection Malware scanning mode to Realtime scanning, I dont see any Notification when a Virus is found.
    So maybe you can make it possible to recieve a notification when a Virus is found in Realtime scanning mode.

    61 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Include Invincea's Deep Learning Engine (Machine Learning) on the UTM

    Since Sophos has purchased Invincea, I am requesting that Sophos included Invincea's pre-execution Deep Learning Engine (Machine Learning) on the UTM itself.

    Now that Sophos has acquired Invincea and their scanner's ability to detect new malware before it executes, if the scanner was included on the UTM, it could increase the detection of unknown malicious files before they execute.

    With the combination of Sophos' database of known safe files which it could check files against, Sophos could avoid the problem of false positives from Machine Learning detection.

    I am requesting that Sophos add this Machine Learning layer to the UTM…

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

    In version 18 we are leveraging Deep Learning capabilities in Sophos’s cloud-based analysis platform. When we send a suspect file to be scanned with Sandstorm, samples will also be checked with Deep Learning AI models. Deep Learning is also embedded into the sandbox environment and is used extensively during sample detonation. Version 18 will also provide new in-depth analysis reports that use aspects of machine learning to show how suspect items relate to other known good or bad files.

  15. Allow modification to HTTP timeout value

    We use an http service that lets you download a dynamically rendered PDF specific to our site. Unfortunately, XG 16.0.5 does not let you change the timeout value for an http response, and the PDF takes about 67 seconds to render, and the XG times out the connection before it has a chance to download. Reaching the site directly via cell phone or other firewalls allows the https server enough time to deliver the PDF, but not through the XG. Support rep confirmed there are no console commands to change this behavior, please refer to case number 6855875.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →

    This was added in v17.0 of XG Firewall.

    To change the response timeout:

    1. Connect to the device console via SSH or directly with a keyboard/monitor or serial cable.
    2. Login
    3. On the main menu, select (4) Device Console
    4. At the prompt, to increase the timeout to 3 minutes from the default of 60 seconds, enter the following:

    console>set http_proxy response_timeout 180

    5. Exit the console and log out.

    To see the current value, enter the following command at the console:

    console>show http_proxy

    Note that setting this value too high will increase the risk that misbehaving servers could cause a denial of service – consuming excessive open connections by just not responding to requests sent.

  16. Allow Websocket connections

    All Website if use Websoket that time Sophos XG 16.01.2 not working site

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. URL category update

    Review and update Category periodically as some URL are being wrongly categorized

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Restrict YouTube via HTTP Header for some user groups

    Google has just introduced new methods for controlling access to YouTube--DNS and HTTP headers. It would be nice if ths XG supported the HTTP headers so we could setup restrictions for some user groups. Details of the changes are documented here: https://support.google.com/a/answer/6214622

    23 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. XG Web Protection: Policy Helpdesk/Policy Test

    Policy Helpdesk is one of the most convenient and powerful troubleshooting tool present on UTM v9 OS. It is missing on the SFOS Platform.

    The Policy helpdesk allows the Network Administrator to evaluate the web filtering rules and policies applied to various machines on the basis of IP Address or User Identity without physically going on to the machine and testing.

    Also identifying the policy which blocks the site is directly shown on the UTM itself just by entering either the source IP or the User Identity along with the destination URL or IP.

    This really makes life easy.

    50 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add the ability to use a regex expression for https scanning similar to http scanning for content delivery providers such as akamai

    The existing web content http scanning rules allow for the use of a regex url expression to bypass scanning. This same capability is needed for https also to set rules bypassing scanning/blocking for content providers such as akamai and Apple iTunes. When viewing HD content on Apple iTunes and web content filtering is on, Apple iTunes redirects to [multiple addresses].akamaitechnologies.com to deliver the HD content. The only other current alternative is to turn off web content scanning for the user or device altogether which is not good.

    18 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.