Changing the order (priority) of firewall rules is currently only possible by dragging and dropping.

Not only is it exceedingly cumbersome to move a rule this way if there are a lot of rules, is it not always clear where the rule will "land" after dragging it. This unpredictable behavior is unacceptable in many Change Management policies.

Please add an option to move the rule by entering a specific location.

You can define customized services, for example tcp/udp port from 1:65535 to 4444. Also you can define custom icmp services, but it's not possible choice options out of RFCs. If you want define a ICMP service of type 1 (in RFC type 1 and 2 are unassigned), simply, you can not do it. It's not sense you can define your own service, but a custom icmp service does not be. By definition it is a "custom" not "standard" service.

We need "IP Unnumberd" for Internet connection.

Because
1.it is very major function on Japan market.
2.Many competitors have already supported.
3.It is also useful function for managing network connection on IPv6 environment.

Add SFTP support under the connection options, so that files (particularly log files) can be downloaded from the XG on the LAN interface, so that they can be analysed off-system. It is a real inconvenience to try and do detailed searches of the log files while on the console. Not everyone has a syslog server.

MD5 checksum is not listed on the download site in the Hardware Installers and Virtual Installers of Firewall OS for XG Series.

MD5 should be written like SG from the viewpoint of security and installation failure.

it would be great to be able to manage multiple host on the same IP while creating a DNS record on the Sophos XG.

Right now we se the gateway as a DNS server and creating more than 100 records is no cool.

Allowing the use of wildcard would be even better.
*.domain.com A 192.168.0.1

Most ISPs in Europe require you to use a DHCP Option on the WAN Interface in order to use your own Router or Firewall.

If this can't be done on the Sophos XG it is useless to me and a lot of other people, which would be a shame.

You missed to implement sha1 in snmpv3 config. Many monitoring solutions only support md5 and sha1, but not sha256 and sha512, so we must use md5 for hash.

Security cannot be an argument, since "DES" is still offered for the encryption.

It would be nice when changing the hostname in the Sophos XG WebGUI it will be also changed in the OS-System. Actually only the application changes it for certificates, but the Operating System is still localhost. This looks confusing in the ESXi virtual machine overview

1. Request to add "Description (Optional)" box when adding static routing, Useful for remember when check later or other working person can understand without asking again.




2. Request ability to temporary disable some static routing IP instead of remove them and add it again.

Possibility of full text search in firewall rules

Add ability to export active (in case filtering is applied) firewall/NAT rules with their stats to CSV or PDF for external reporting requirements.

Hi all,

It would be great if you could test published services in the "Policy Tester" section.

Specially since you're trying to push v18, why not add that possiblity? The policy tester already can tell you rule and NAT of outgoing traffic to the internet.

And since decoupling NAT and firewalls rules will cause a lot of NAT rules (specially mid to large companies), checking those in the little screen that SFOS provides its not great.

Thanks!

Please bring AES-NI support for the software version of XG.

As you can read in this thread it is not yet supported:
https://community.sophos.com/products/xg-firewall/f/hardware/119782/hardware-acceleration-aes-ni-isn-t-being-used-on-the-software-version-of-xg-v18#pi2151=1

We have created a "Deny All" rule to ensure that any blocked traffic is logged, when we enable this, we lose access to the XG via the WAN Interface when using ACLs.

Can it be implemented that ACLs take precedence over the Firewall rules?

There are numerous other ideas relating to similar issues that may also overcome this problem:

Display 'hidden' firewall rules on the firewall page:
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/32511967-display-hidden-firewall-rules-on-the-firewall-pa

Relocate Local Service ACL Exception Rules to just be firewall rules:
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31652716-relocate-local-service-acl-exception-rules-to-just

Local ACL exceptions should not be logged to the last firewall rule ID:
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/37296451-local-acl-exceptions-should-not-be-logged-to-the-l