XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. GEO/DNAT Policy Test Tool

    Hello,

    we would like to have a diagnostic tool to test firewall rules with geo restriction.

    At the moment it is difficult to test geo restriction if you dont got any host from a certain country / IP-Range.

    Thanks!

    3 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
    • RBL type group can be used in Blocked client networks of Firewall rule.

      RBL type group can be used in Blocked client networks of Firewall rule.
      If the user's email password is leaked, the hacker will use the managed host to connect to the mail server. Most of these hosts come from low-reputation IP addresses, so we can deny connection requests from these low-reputation IPs in the business policy.

      3 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Heartbeat support for Mac/Linux over SSLVPN

        Mac and Linux client are currently not able to send there heartbeat over the SSL client VPN.
        How can we ever build a secure network for everyone?

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
        • Heartbeat client list must be avalible at ANY time

          Heartbeat client list must be avalible at ANY time not only if there is a missing or at Ristk client.
          Otherwhise there is no way to determ which client is registerd with heartbeat (esspecially as live connections heartbeat clients differ from Security Heartbeat status).

          5 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
          • RED Service (port 3400) should be considered a Local Service like User Portal or SSL VPN

            The RED service should be considered a Local Service and allowed to attach to the Zone of our choosing. This would allow us to easily add Local ACL's to limit which external IP addresses port 3400 is open on among other things. As currently configured having port 3400 open and using a self signed certificate fails PCI compliance scanning.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
            • Dual-Stack (IPv4+IPv6) Single Sign ON

              The IPv6 is a reality and their are lot of installations who have dual-stack network in operations, Essentially meaning the user has both IPv4 as well as IPv6 IPs and he has to currently authenticate on both of them independitally.

              Instead the Signon page when loads in the user browser should be able to detect both the IPv4 as well as IPv6 address reachibility from the client to the XG firewall and the username/password provided should be used to authenticate for both of them.
              We have to make a workaround using our internal servers to do the same as we…

              2 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
              • Through Public IP Remote login Live user monitoring option

                Through Public IP Remote login Live user monitoring option

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
                • Master and ***** identification in HA

                  It would be great if Master and ***** are identified in HA configuration. It is not possible to know which one is the master, only the active and standby.

                  2 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                  • Wi-Fi URL Redirection and MAC address based managing

                    I need to make a URL redirection for all Wi-Fi guest access once they are filling its details and submit the form they are enjoying internet access. Where I can make the following:-
                    1. VLAN configuration: Wi-Fi port to be configured as a VLAN based URL redirection.
                    2. Condition: Access to the internet based on the submit button inside the form.
                    3. Use mac address criteria in case the same customer need to access the Wi-Fi in the next day he will don’t need to fill the form again.

                    2 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Change power button to allow graceful shutdown

                      It would be great if the behavior of the power button on the back of XG appliances could be configurable.

                      At the moment if you press the button on an XG85 the unit turns off immediately.
                      We'd like to change this to trigger a graceful shutdown.

                      We have appliances that tour and are setup and packed up every few days and would rather be shutting them down properly.

                      3 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                      • SSL VPN OTP format

                        SSL VPN OTP should be able to be configured to not be current password + OTP. We would just like it to be OTP to log in, we should have the option to just use the OTP from the authenticator app.

                        3 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • sso
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
                        • Force Sync AD Server

                          https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/97083/how-to-force-an-ad-sync

                          I have an AD connector located under Configure - Authentication - Servers and that is reading in a few groups from AD and a bunch of users.

                          If I remove a user from one of the groups in AD and add them to another group in AD, the change doesn't seem to reflect reliably in the Sophos.

                          8 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • sso
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                          • Delete Failed Messages

                            Would be nice if you should display more than 20 messages at a time for those situations where massive amounts of email needs to be deleted from logs. We were just in the situation where we had to delete 7,000 messages and had to do them 20 at a time. We shouldn't need to run a script on the backend or call technical support. Have maybe 20 message option, 100 message option, 500, 1000, etc.

                            3 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • sso
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Balance bandwidth option for QoS

                              Currently there are two options - limit and guarantee. It'd be very interesting if there was an option to divide the available bandwidth between all users (so if you have 5 users and a 100mbit connection, each user would get 20mbit for himself). This would allow the network to be fast most of the time, while being able to cope with a high number of devices.

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • sso
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Combine IPv4 and IPv6 firewall rules

                                There should only be one list of firewall rules, with IPv4 and IPv6 as options within each. So each rule can apply to v4, v6 or both simply by toggling the appropriate check box. (See pfSense. This is how it handles firewall rules and it's far superior.)
                                The current separate list of IPv6 rules requires double the effort to set up matching rules and can result in overlooking one or the other protocol.

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • sso
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                • Assign multi IPs to a single clientless user

                                  Allow multi IPs (predefined as static) to a single clientless user. This will be especially helpful for environments with lots of IoT devices, as they can all be assigned as by groups to a multiple users, greatly increasing the readability and usefulness of the reports. For example, all smart bulbs can be assigned to one user, all Alexa devices to another, as opposed to having 30 odd individual clientless users cluttering reports.

                                  2 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • sso
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Device Access Profile - Fine Grained Options

                                    I want to give some Admins permission to make certain changes in the firewall settings. The problem with Device access profiles is that there aren't enough detailed options to limit the admin from certain firewall rules.
                                    It would be nice so that we can give permissions to edit certain firewall rules only and not all of them for certain admin users.

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • sso
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Scheduled Reports - Attachment Format

                                      "Report Scheduling" (on SFOS 17.1.3 MR-3) seems to only be able to be sent as a PDF.
                                      This is quite limiting and not ideal.

                                      We would like a way to be able to be able to change it to be HTML, PDF or CSV (like we can when we download it manually).

                                      1 vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • sso
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Sophos Connect IPSec mapping Network Drives

                                        Sophos Connect IPSec Client should have a possibility to execute a loginscript after successfull connection for mapping network drives. (for example like Sonicwall VPN Client)
                                        or possibility to execute a script on the client side.

                                        3 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • sso
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
                                        • SSL VPN

                                          SSL VPN Connect Option Provide On desktop without any right Click Option only single click

                                          0 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • sso
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.