XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Site path routing case insensitive or customize with regex.

    Make site path routing case insensitive. Because the URL can be typed in any combination of case by the endpoint wanting to access the webserver, this feature is rendered worthless if you are trying to block certain path combinations. This was experienced on an XG 330.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. sec_request_body_no_files_limit in GUI

    Allow setting secrequestbodynofiles_limit via the GUI for Web Protection policy.

    Having to set via CLI tblwafsecurityprofile settings every time a WAF setting changes is very bothersome and leads to more downtime for customers.

    https://community.sophos.com/sophos-xg-firewall/f/discussions/114221/413-request-entity-too-large

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. country blocking web server rule

    WAF rules should allow certain countries to be blocked from access.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. hwp filetype scanning support in sandstorm

    The customer wants hwp file type scanning support in a sandstorm.

    As of now, we don't support the hwp scanning in a sandstorm.

    0 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. http waf connections reset after changing remote desktop waf template rule

    as described in your article: https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/MicrosoftRemoteDesktopGateway2008andR2.html
    As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.

    This should not happen, and it should be corrected.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. SFOS 18 - WAF erorr log - WEB viewer VS /log/reverseproxy.log - Improvement debugging - faster debugging

    Hi Sophos,
    I'm a Sophos Architect.
    Using WAF functions in deep, I'm amazed about the necessity to tail the reverseproxy.log to obtain the ID field of the error [id "<rule number>"].
    In the WEB log viewer, under Web Server Protection, I don´t have this information!!!
    Why?
    Is it complicated to get this [id "<rule number>"] in the WEB log viewer?
    Thank you for implementing this function in the next release.
    Regards
    Alexandre Rastello | Consultor Sénior - Tecnologias Informação | Sophos Architect

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Request for WAF TLS1.3 Support

    Request for WAF TLS1.3 support feature.

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow more than 60 HTTP-based/WAF policies - URGENT

    I reached the limit of 60 HTTP-based / WAF policies. I am migrating the rules from an ASG to an XG. We still have to create more than 18 policies. Please urgently need this limitation to be removed or extended.

    26 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Enable/Disable Ciphers

    Add option to disable ciphers.

    TLSRSAWITHAES128CBCSHA TLSRSAWITHAES128CBCSHA256 TLSRSAWITHAES128GCMSHA256 TLSRSAWITHAES256CBCSHA TLSRSAWITHAES256CBCSHA256 TLSRSAWITHAES256GCMSHA384 TLSRSAWITHCAMELLIA128CBCSHA TLSRSAWITHCAMELLIA256CBCSHA

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. XG Firewall should allow option to keep domain name while changing or renewing certificate

    We have an issue with XG Firewall as it not allow to renew certificate while it is in use and if we create new certificate it removed all custom domain name from Domain field and there is no option to keep these domain names. We can't copy paste or import these domain names and if we add domain name one by one which require lot of time and effort. Please provide an option to us so we can keep existing domain name while changing certificate.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add Actual OWASP / ModSecurity Rule_ID to WAF Logs

    Coming from UTM used to at least include the rule id in ModSecurity that caused the block. Under XG There is no ID so it is currently impossible to identify the rule that needs to be white listed.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. WAF is unable to protect exe file upload

    I am handling XG750 v18 sopohs firewall. WAF is also implemented. but WAF is unable to protect exe file upload in server. IWAFed website should protect to it(i.e. manage custom policy for to allow or deny upload any type of file in server . Even from server side exe upload is allowed, but from WAF it should be turned off.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Do not add "Cache-Control: no-cache" to header when publishing web through WAF with form autentication

    Do not add "Cache-Control: no-cache" to header when publishing web through WAF with form autentication. It was discussed in support ticket #9847958:
    "According to the development team, Header "Cache-Control: no-cache" is set by reverse proxy for pages protected by reverse form authentication. This is necessary because requesting protected pages must be checked against the origin server."

    When publishing web with no autentication or with basic authentication, it is OK and no caching is affected.
    All webs published with form auth are extremly slow because all requested items (jpg, css, script, ...) are transfered from XG every time user clicks or…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow more than 60 HTTP-based/WAF policies

    I've hit a limit of 60 HTTP-based/WAF policies, and I need more. I was told this is hard coded to limit it to 60. I'd like to get this increased.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Update SSL Certificate on WAF rules removes listed domains / add possibility to add wildcards

    When updating a wildcard certificate under Firewall - Business Rule - WAF, an error pops up stating that *.domain is invalid and removed. Next, all domains currently listed are also removed. To add again (and again) all domains used with a wildcard certificate is time consuming and faults are easily made.

    Stop removing all domains, or make an export/import possibility. Better yet, accept wildcards just like the UTM did, and let the webserver handle the URL's.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. web server category

    IPS Policy rules category for Linux based Web Servers.
    Select rules category to apply for Linux Based Web servers.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. x-header forwarders in XG Firewall

    Please add x-header forwarders in XG Firewall to see real IP addresses from Cloud fare or CDN networks.

    12 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. ciphers

    Hi,

    Kindly add the following cipher support in XG Firewall for Web Server protection:

    TLS1.2-DHE-RSA-AES-256-SHA256
    TLS1.2-DHE-RSA-AES-128-SHA256

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.