XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add options for IPv6 DHCPv6-PD

    My ISP supports native IPv6, they support prefix delegation using DHCPv6-PD to assign a /56 subnet. They do not assign the WAN interface an IPv6 address (i.e. no IA-NA) and only provide a prefix delegation (IA-PD). Currently XG (and UTM9) doesn't work with my ISP to get a PD because there are no options to request IA-PD only. My ISP edge router will respond to a solicit message with a IA-NA and IA-PD request but it would appear that the XG doesn't conform to RFC7550 when it sends a IA-NA message and receives a "NoAddrsAvail" from my ISP edge router.

    220 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    33 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add ability to create MAC host groups.

    In the list of host objects, all have the option to create groups, except for MAC hosts. Please add ability to also create groups for those objects.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. SCP Access should be possible

    According to the following thread, SCP-Access to the Firewall should be possible. It would improve troubleshooting workflows a lot.

    https://community.sophos.com/products/xg-firewall/f/46/t/73960

    74 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. button for renew DHCP on the Wan interface

    In UTM Wan interface there is a button for renew DHCP. There is not such button in the XG Wan interface.

    19 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  5. Objects/Rules/Service Bulk Insert

    Now is not possible to do a bulk insert of objects, services and policy. This cold be very useful when you migrate from other vendors or you want to preconfigure a new devices

    16 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. Clientless Users assign MAC Address(es)

    Have the option to assign a MAC address to a clientless user instead of an IP address, also have the option to assign multiple MAC addresses to a client for all their devices ie phone, tablet, pc

    45 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add inheritance to App and Web filter policies.

    It is hard to develop several filter policies with little differences for several groups of users. It would be nice to have ability to inherit, for example, web categories from other web filter policies and for application filters as well.
    Or there could be the ability to duplicate policies as it has been mentioned before.
    Thank you.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. Export Configuration in a reading format as UTM

    At the moment export full configuration is easy with the new option but we need some way to export full configuration or part of it where the config. is full readable as it is possible with UTM.
    This can be used for Passive Analysis too.

    49 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  9. Username of Admin should be chagable

    Currently, the WebAdmin Master-User is fix named as admin. It would be great, if we would have the possibility to change the username. This would be an improvement for brute-force attacks, when the WebGUI is somehow published to the Internet.

    305 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →

    This is being considered. The current intention is to add a superadmin role, making the default admin account just a member of that role.

    This will allow you to create new superadmin accounts, capable of logging into the shell, adding ssh keys, and any other features limited currently to the named admin account.

    Second, you will be able to disable or demote the named admin account.

  10. NTP - no need for rebooting the Firewall

    When making changes to the NTP Configuration, it should not be necessary to reboot the Firewall afterwards.

    102 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  11. Improve Backup operation

    At the moment is possible to configure only one method of backup (Local or Email or FTP). I would like to configure 2 ways, such as Local + email, Local + FTP.
    Also no way to only upload configuration inside XG without restore (as it is possible with UTM).
    Once the configuration has been uploaded, I would like to see what has changed from last configuration to current configuration. So the chance to generate a PDF report which lists all differences and details, such as:
    -User A has been added (details)
    -Policy ID has been changed (details)
    - New Traffic…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. Handle exceptions more easily

    Today is quite hard to create simple exceptions. For example: Lets say we have a main user policy that uses a Web filtering policy, a QoS policy, a default routing policy and an App filtering policy.

    Now, lets say we have a user inside this policy that should get a specific web site access that is currently blocked in the web filtering policy. Also, another user needs to get more/less bandwithd than everyone else. Also, a user have to get routed through a specific link and not follow the default route balance. Also, another user must have an application allowed.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. Channel Width - Wireless

    Need to have an option to chose the Channel widths when setting up Access Points in the GUI. Probably would make sense to have it right where you set the channel to auto or manual. By default, the AP55's and AP100s come default at 80Mhz Channel Width which is not very ideal (Unless you only have 1 AP) and no way to change it down to VHT40 or 20.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. DFS Channel Support - Wireless

    WIreless Protection needs to have the ability to use DFS Channels (52-144). As is at 40Mhz Channel Width, only 4 non-overlapping can be used making it not alot better than 2.4Ghz.

    33 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. Virtual Firewall

    Zones are a new nice concepts because multiple interfaces can be grouped together. However qhat I would like to see and get from Zones are Virtual Firewall concepts as other vendors have.
    In some public tenders, customers explicit require virtual firewall (every vendor has different names and you know what I am talking about).
    Until Sophos will not provide this kind of functionality, they will never be able to fight on equal terms with other vendors in big installation.

    83 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Email Filtering Profile

    Unified policy rocks. Inside policy we can create and manage multiple IPS profiles, Application control and Web while Email is managed separately, why? So you need to go to email protection > scanning rules and decide what to do with email (pop3, imap, smtp).
    If you have integrated everything, please integrate email profiles inside policy so we do not need to change page to configure email protection.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. On Demand CPU Scaling

    The firewall would be scaling the CPU up/down depending on utilization. Main benefit would be less power usage, and possibly better efficiency.

    Should use CPU technologies available like AMD's Cool'n'Quiet or Intel's SpeedStep

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable/Disable in DHCP server

    Ability to Enable or Disable DHCP by GUI

    120 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  19. DHCP - Clients via DHCP/DHCPv6 relay agent

    XG Firewall already has the option to serve either as a DHCP server, or as a DHCP relay agent for another DHCP server. However, when using the XG Firewall as the DHCP server, there is no option to serve DHCP clients via a DHCP relay agent (i.e., when another device is serving as the relay agent). As a result, DHCP pools on the XG Firewall can only be configured using address ranges that are contained within the subnet range of the selected interface. This option is available when setting up address pools in UTM9.

    26 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. Route based VPN in XG Firewall

    Route based VPN is a very much required feature in XG Firewall. Lot of Cyberoam customers are using this feature, primarily for MPLS to VPN failover using Dynamic Routing. In multi-branch scenario, Sophos cloud is a great solution with Synchronized security. But customers who are using Route based feature are not able to upgrade their Cyberoam devices to SF-OS because of the feature lack.

    100 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.