Add the following to web exceptions as standard as not all Office/Windows updates work correctly, some get part way through then stop, also affects Windows update assistant.
^([A-Za-z0-9.-]*.)?ntservicepack.microsoft.com4 votesDeclined · AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
We are reviewing the content of the exceptions in version 18. Note that many of the regular expressions you have listed are unecessary duplications. We also try to avoid being too broad with our exceptions.
The Feature of machine learning/Artificial Intelligence ==> Detecting any blacklisted IP and automatically making a firewall rule for the IP with the action drop/reject
this will take off the engineer load and protect the enviroment.
It will an advantage for your appliacne and will become more recommeded.2 votesDeclined · AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
If an IP address is already blacklisted, why is it necessary to create a firewall rule to also block it? IP addresses may come and go from dynamic blacklists – creating firewall rules will mean that blacklisted IPs remain blacklisted forever. This could also create many rules and make the firewall rule table unmanageable.
When a user should be seeing the block notification when they hit a web protection rule, instead they get a security warning from the browser. According to support "As XG is only rewriting the content of the webpage on the blocking and not rewriting the URL itself that is why you are seeing certificate error on the block page." This happens even though we have a valid public certificate set up on the XG.
So if a user is trained correctly, they will not bypass the security warning and will never see the descriptive block notification. This should be corrected.1 voteDeclined · AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
A browser will only accept an HTTPS connection if it believes it has come from the server it was trying to connect to. It is necessary to create a certificate that looks like it comes from the server, just like we do for HTTPS decryption. This will only be trusted if the client device trusts the certificate authority that is installed on the device for HTTS decryption. In version 17.5 we introduced an option where we will just drop the connection instead of trying to connect and return a block page. This avoids the security warnings, but the user just sees a dropped connection.
the problem started when I wanted to allow only webmail to a specific group of users
most of webmail servers use generic URLs for their authentication.
the problem is that those URLs are categorized as (search engine, dynamic DNS & ISP, etc...)
it will be very helpful if you can add those specific URLs as part of the webmail category
as you can't access the webmail without them.
thanks in advance for your help and cooperation.1 vote
This is not often practical because, as you say, they are used for other services as well. Blocking them on networks where you want to block webmail will prevent a lot of other services working as well.
need require interface internet date, timing with speed wise report4 votes
Central Firewall Reporting should provide more in-depth reporting options going forward.
Privoxy is able to supress redirects that google is placing on their search results. OR redirects to analytcs sites.
Blocking categories makes the search sites not usable.5 votes
Not clear what is required, and no clarification provided.
In asia so many bitcoin miner case.
Taiwan was test target with many countrys.
so many business customer want to detect inside or outside problem with miner attcked.
but some miner website is normal and legal.
Just hacking category can't include all miner webside, just only inlegal webside is not enough.
Endpoint protection this product has application contral with miner type category.
so why in XG can't do this?17 votes
It would be nice if a particular URL can be exempted from Safesearch.
A whitelist for safesearch would be appreciated.7 votes
Not clear what the purpose here is. Hopefully the inclusion of Safe Search and YouTube restrictions in policy in v17.5 will solve the issues.
The web category "Sexually Explicit" contains alot of mis-categorizations. The system admin generally uses this category to block sites. It would be better if there was a category named "" itself, with the all the websites that are absolutely **** oriented rather than vaguely explicit contents.3 votes
It’s always difficult to know where to draw the line with content of this nature, and we find that most organizations will block any explicit content. If you see examples of sites that you think have genuinely been miscategorized, please submit those examples here, using ‘Submit a Site’ secure2.sophos.com/en-us/support/contact-su..
I would like to include this on XG Firewall the Policy Checker, Time Schedule customization, and Total number of user per AP9 votes
Please limit your suggestions to one feature per post.
Please note that XG v17 included a Policy Test feature for Web and Firewall policies.
It is already possible to customize Time Schedules on v17 – Go to System > Profiles > Schedule
Please use McAfee website databases from UTM again!
Please vote this feature!22 votes
Sophos is working to continually improve the URL categorization in XG Firewall, as we believe that this is the best way to protect our customers going forward. If you have specific requests or requirements for our URL categorization please submit them as separate ideas.
Please make us able to deactivate size Limit in Realtime scanning mode.
Please vote it!18 votes
Please unlock Sandstorm for XG home but please let sophos xg be a free software!41 votes
Unfortunately there are significant costs associated with running the Sandstorm service that make it uneconomical for us to provide it free for home use.
Safe Search runs on the windos devices seamlessly. And some customers want to exclude android or ios devices. They dont want to install the certificate on their personal or mobile .
IP/MAC host associated can be problem for the customer who has lots devices.
And some of them do not want their IPs to leave in another rule
So I think It would be nice to have a setting so that it can be applied separately for devices
( for more info >> https://community.sophos.com/products/xg-firewall/f/web-protection/89648/safe-serach )5 votes
It is no longer necessary to use HTTPS decryption in order to enforce SafeSearch, so the problem of mobile devices without an organizations CA certificate should not be an issue any longer.
Furthermore, in v17.5 we have moved SafeSearch configuration into Web Policy.
If you still want to support device-specific policy configurations, there are other existing idea requests on this forum you should consider supporting.
There is an issue blocking .dll extensions causes problems with websites that use ISAPI.dll on their URL. Sample scenario web policy containing a block for System files which include dll on file type when enable is blocking the URL for ebay http://my.ebay.com.au/ws/eBayISAPI.dll?MyEbay&gbh=13 votes
This is working as expected, and unfortunately, changing it would result in more problems than wold be solved by the change. You may create exceptions for the few sites where you find this to be a problem.
Feature Request Summary
How will this new feature address your business requirements?:
Dashboard administrator view- license, DDOS Attack, Firmware update (add in more widget)
Navigation panel access customize – user experience ‘confuse all in one tab’. Example Report, Policy, Protection & Systems
Dashboard view – could we fully utilize the empty space by adding more graph, data?
Could you import existing Cyberoam CR200iNG configuration file to Sophos OS?
Could I know can I build up a SSL VPN, IPSec with different firewall product (Sophos XG with Cyberoam or Fortigate).
dashboard customization is not planned currently, but will be considered in a future version. I will mark this request as declined, as it is not possible to track votes for multiple feature requests in a single idea on this site.
- Don't see your idea?