XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Export Firewall/NAT Rules to CSV or PDF

    Add ability to export active (in case filtering is applied) firewall/NAT rules with their stats to CSV or PDF for external reporting requirements.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. country blocking

    Country Blocking should have an option for blocking the uncategorized Public IPs,
    These are noted as not belonging to a country, these do not get blocked by default, I would like an inclusion of a group called "Uncategorised", and this would block all the Public IPs that have no categorisation, and exception can always be made later if they are required, this also happens on the SG UTM boxes as well.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. How to Allow ICMP request from WAN on Public Alias IP Address in Sophos XG?

    We want to allow ICMP request from WAN on Public Alias IP address to check whether the internal host is up or down. Internet should not be able to ping the NAT public IP address if the host is down. Any ideas how to do it?

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Policy Tester - Allow testing DNAT (published services)

    Hi all,

    It would be great if you could test published services in the "Policy Tester" section.

    Specially since you're trying to push v18, why not add that possiblity? The policy tester already can tell you rule and NAT of outgoing traffic to the internet.

    And since decoupling NAT and firewalls rules will cause a lot of NAT rules (specially mid to large companies), checking those in the little screen that SFOS provides its not great.

    Thanks!

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  5. Full width dashboard, not limited to max-width

    Hi,

    I've using firmware 18
    Up until now, there are no benefit using resolution higher than 1366x768 px
    Lets say you have FHD resolution, the dashboard capped at 1280px

    The CSS says

    wrapper.cp-wrapper {

    max-width: 1280px;
    

    }

    If I rule out that CSS, most of UI will have benefit with higher resolution

    Also with menu

    element.style {

    display: table;
    
    box-sizing: border-box;
    padding: 0px 10px;
    width: 1100px;
    height: 62px;

    }

    Change the width to

    element.style {

    display: table;
    
    box-sizing: border-box;
    padding: 0px 10px;
    width: calc(100% - 180px);
    height: 62px;

    }

    And you have full width header.

    I know you guys can…

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. IPSec VPN Client Connections Need to generate a SIEM-compatible event

    Sophos Connect client IPSec connections generate separate log events for EVERY SUBNET mapped. There is no single event that any SIEM recognizes as a VPN login event. Every other firewall vendor we've tried doesn't have this issue.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  7. 45 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. Force Microsoft NCSI probe as SSL VPN Connects

    (For Sophos Tech Support, this is from the back of #9887121)

    I was asked by Sophos Support Rep to post a feature request.

    We have seen with a large amount of our customers an issue arise whereby Sophos SSL VPN (OpenVPN) connects to the Sophos XG fine. With Sophos XG having "Default Gateway" checked for the SSL VPN users a default route is established as we expect.

    However, it cant take a while for Microsoft NCSI to complete it's probe to check if there is internet access. While the VPN interface is in "NoTraffic" or "No network access" mode, before…

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  9. internet voucher

    in wifi voucher i suggest to add voucher with long period of validity but with a limited daily quota

    as example voucher valid for one year with limited daily quota 500mb

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Application filter category : Ads & Tracker

    In the application filter there is an category called "e-commerce". When you look inside the application list, you can see a lot of banking apps listed but also Ad-Server apps and tracker. It would be nice when there is seperate new category like "Ads & Tracker". This would make it more easier for the administrator to filter and block unproductive web apps.

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  11. scanning

    Xg Firewall doesn't support "Scan FTP for malware" scanning of FTP traffic for explicit over TLS

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Implement "Keep Nodes Reserved" in HA-Function

    So as we have seen with Update to SFOS 17.5 MR10 it could be possible that access to the Web-Interface is blocked and loading an previous Firmware with SF Loading is also not possible. In our Case SF Loading was not possible because the console did not accept the password (probably in case of german keyboard layout or spacial characters in password).

    So in a production environment, where time is very important, a feature as"keeps node reserved" like it is implemented in UTM-9 is gold.

    For me SF Loading like it is acctually implemented is nice but not helpfull for…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. Implement "Keep Nodes Reserved" in HA-Function

    So as we have seen with Update to SFOS 17.5 MR10 it could be possible that access to the Web-Interface is blocked and loading an previous Firmware with SF Loading is also not possible. In our Case SF Loading was not possible because the console did not accept the password (probably in case of german keyboard layout or spacial characters in password).

    So in a production environment, where time is very important, a feature as"keeps node reserved" like it is implemented in UTM-9 is gold.

    For me SF Loading like it is acctually implemented is nice but not helpfull for…

    0 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. Have an option on creating SD WAN policy routing for VPN zone

    Hello Team,

    Requesting to have option on SFOS V18 on creating SD WAN policy routing for VPN zone
    so that we can configure for primary and secondardy gateway for VPN to WAN Firewall rule.

    For your assistance please.

    Thank You.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  15. application control

    Show blocking page when an application is blocked by application control.
    Currently we only see a browser error when an application is blocked and we often need to check the logs to find out which application caused the block.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  16. Google Admin Domain Added to Authentication Servers

    I have XG330 box, user accounts available in google admin mail domain, I want to use the gmail accounts for authentication purpose. How can I add the Server Authentication to google domain?

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow ACLs when using a "Deny All" Firewall Rule

    We have created a "Deny All" rule to ensure that any blocked traffic is logged, when we enable this, we lose access to the XG via the WAN Interface when using ACLs.

    Can it be implemented that ACLs take precedence over the Firewall rules?

    There are numerous other ideas relating to similar issues that may also overcome this problem:

    Display 'hidden' firewall rules on the firewall page:
    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/32511967-display-hidden-firewall-rules-on-the-firewall-pa

    Relocate Local Service ACL Exception Rules to just be firewall rules:
    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31652716-relocate-local-service-acl-exception-rules-to-just

    Local ACL exceptions should not be logged to the last firewall rule ID:
    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/37296451-local-acl-exceptions-should-not-be-logged-to-the-l

    6 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. umlauts

    Support for umlauts on ssl vpn

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  19. Request SNMP support for the Sophos Wifi APs

    Request SNMP support for the Sophos Wifi APs

    Dear Sophos!
    Add basic SNMP features to able to monitor the wifi-ap hardware from 3rd-party network management software:
    -SNMP OIDs
    -SNMP trap
    -Syslog (remote syslog server)

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Hardware  ·  Flag idea as inappropriate…  ·  Admin →
  20. Automatically add ipsec_route(s) when configuring a site-to-site IPSec VPN

    By default traffic destined for any remote IPSec VPN subnets will be classified as 'WAN' if you do not manually configure ipsec_route(s) using the device console.

    This process should be automated when configuring remote network(s) for a site-to-site IPSec VPN connection.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.