XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. cisco

    Cisco ASA to Sophos XG Migration tool

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. WAF Source Filter by FQDN

    Currently WAF rules can only have their source filtered by IP or by Network, while regular DNAT rules can be filtered by IP, IP Range, IP List, MAC Address, MAC List, Host Group, Network, FQDN Host, FQDN Host Group, or Country Group.

    I'd like the functionality of the WAF source filter to be expanded to have the same capabilities as a full DNAT rule.

    I'm specifically after the FQDN host so we can filter and use DynDNS hostnames but the other things would be handy as welll

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. synchronised ID authentication (Heartbeat) for different UPN domains in one DC

    DCs can only authenticate against one UPN domain. My AD uses several UPN domains, so that e-mails coincide with user accounts, as we own different domains. So I can only use Heartbeat authenticacion with users in the same domain as configured in DC, or I have to create as many DCs as domains, which does not make any sense.

    Can you enable the capability to authenticate against different domains, by allowing to add several domains in the domain field of the DC access server?

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
  4. http waf connections reset after changing remote desktop waf template rule

    as described in your article: https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/MicrosoftRemoteDesktopGateway2008andR2.html
    As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.

    This should not happen, and it should be corrected.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support for Industrial Control and Automation Protocols (SCADA) in DPI / IDS

    Idea originally posted by TheMachineWhisperer in 2018 but never responded to by Sophos.

    Security for industrial automation, critical infrastructure, and SCADA systems is very much a critical issue.

    We would like to see some development to include capability for Deep Packet Inspection and control of industrial control protocols such as:

    Modbus TCP
    Ethernet/IP (CIP)
    OPC Classic (DCOM / RPC)
    Siemens S7
    DNP3
    etc.

    Inclusion of rules for these into IDS and would also be welcomed.

    A number of vendors approaching us are starting to get into this specialist area of the market and it would be great to see Sophos…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. API user last login other details

    Want to get the following details for VPN users.


    1. User create date

    2. User last modified date

    3. User last connection date

    4. User last date of password change

    This information via API would assist with internal compliance audit and auto disable of accounts not in use as well as automated emails to change passwords.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  7. Bandwidth Graph for IPSEC VPN Tunnel

    Bandwidth graph for IPSEC VPN tunnel gives us the overview of the traffic consume by the VPN tunnel currently which is not possible in Sophos XG, only the interface graphs can be view.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable/Disable SSL/TLS inspection per firewall rule

    In v18 of SFOS of my XG firewall, SSL/TLS inspection is a global on/off setting. I would like to be able to control the use of SSL/TLS inspection per rule instead of globally.

    I have an old copier trying to send secure emails and the inspection engine is erroring out with a timeout error. There is no way to make an exception for this. If could just create a new firewall rule so this copier could send out emails would be great while leaving SSL/TLS inspection enabled for all the other rules. v17 everything worked fine.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Quarantine report - Phishing/Spoofing

    Sender field, in quarantine report email, currently presents only the forged/fake address of a Phishing/Spoofing email.

    A good idea would be to add the real Sender Address, and maybe color it with RED to be eye-catchy and alert the user to pay attention to it.
    Alternatively, display only the original email address.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. IPSEC Site to Site with IKEv2 and RSA Keys should rekey instead of reauthenticating when phase 1 expires

    Actually, when phase 1 expires with IKEv2 and RSA-Keys, reauthenticating happens, which is leading to a short VPN interruption ans the corresponding log entries showing the connection as down and up again.
    I'd like to propose to implement "reauth=no" in the VPN Configuration. This will lead to rekeying instead of reauthentication when phase 1 expires. Rekeying happens on the fly without interrupting the tunnel and also without the log entries.
    This feature request was created based on the Sophos support ticket number [ ref:00D301GN6a.5003Z1728jB:ref ].

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to pull traffic reports that display IPs as well as Associated Mac Address of the PC using the IP.

    We would like the ability to generate traffic reports from our XG firewall that include the Mac address of the PC using an IP at the time. Currently we can see the IP and the Host name of the PC however since DHCP can lease that same IP out to multiple computers within one month, we would like a way to differentiate which PC used the IP and how much traffic Each PC used. Thus displaying the IP alongside with the associated Mac address and total data usage would be very ideal.

    We would like to pull a weekly report…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  12. Multicast Forwarding For Entire Netywork

    It would be helpful if there was an option to select an entire network or a range of IP addresses for multicast forwarding. Currently, only individual IP addresses can be entered.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Hardware  ·  Flag idea as inappropriate…  ·  Admin →
  13. IPoE IPv4 in IPv6 Static Global IP Address Service [Japan JPNE V6 Plus Service ]

    I would like Japan's JPNE to support IPoE IPv6 Plus (IPv4 in IPv6 fixed global IPv4 service) provided by NTT's NGN network.

    FortiGate is supported, so please use Sophos XG Firewall.

    https://www.jpne.co.jp/service/v6plus-static/

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. Email notification when WAN link is up

    When our ISP is down, we receive an email notification that the particular WAN connection is down. However, we never get a notification when it is back up. Instead we have to go into the web GUI to confirm. I would really like to be notified when our connection is up after it being down. I have talked to support about this and they have said that Sophos does not support this feature please reference [ref:00D301GN6a.5003Z1BCbKS:ref ] for more details.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. Bugs in Authentication Agent for macOS

    When OTP (one-time password) is enabled for User Portal it causes the Client Authentication Agent for macOS to not work UNLESS the user enters their username and password PLUS their OTP token.

    I have tested and confirmed this with Sophos support.
    Enabling OTP for the User Portal should have NOTHING to do with the Authentication Agent for macOS. Furthermore the Authenticator agent should never require a OTP. Otherwise the poor user will need to re-enter his or her credentials every time their Mac is rebooted.

    Second bug: There is an on-going display issue with the Authentication Agent for macOS. The…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  16. Need " Force change default password at first logon and expiry policy " in XG Firewall

    We need to change default user password at first login and expiry policy or other easy way to change user password by themsalves.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  17. Requirements Hotspot Password (POTD)

    Change the requirements of the Hotspot Password (POTD). Password is now generated with 10 characters (a-z, 0-9). Make it possible to change it, example 12 char (a-z, A-Z, 0-9, !@#$)

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Implement "remember username/password" feature on Captive portal

    Captive Portal needs a feature to allow remembering of username/password as the users are having to re-type in their username every time they want to access internet.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Update the Addons

    pls. while a new version of the Firewall Firmware is released update the Addons, like the Outlook Add-in to the latest version to download the Add-in from the User Portal and install it with the current MS Office version, because i think it is difficult to find the latest version of the Add-in on your website and the MYSophos account don´t list it, i have searched 3 Month for the Add-in which worked with MS Office 2016 and found it than there https://www.sophos.com/en-us/support/downloads/email/sophos-outlook-add-in.aspx

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. Need Bulk Users Upload Features (Hight Important )

    I don't know what is logic of behind that they have removed the Bulk Users upload Feature.
    really Bizarre, in this new MR -4 firmware they not provided this feature as well.
    Sophos is not fulfill the customer satisfaction, also not provide alternative solution.
    They force customers to use whichever they provided.

    could you add 100 users every week manually ?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.