XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. IPSec Remote Acess - Selection of other policy than the default one

    To summarize:


    Default re-key time for IPsec remote access is set to 4 hrs and does not have any option to change it from GUI.
- This usually happens in the backend without any interruption (with only one authentication). However, if we have configured MFA then it will prompt for the OTP after every 4 hours as it requires reconnecting.

    Administrators may be able to config this behaviour as well be able to associate the IPSec Remote Access to another Policy than the default one.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Implement proper ARP handling in multi-interfaces setup ( ARP FLUX problem )

    Dear Sophos!

    Implement proper ARP-FLUX problem handling in multi-interfaces setup.

    ARP-FLUX:
    The ARP Flux problem occurs when a host replies to ARP requests for interfaces on the same subnet, from any interface on that same subnet. ... However, in specific cases, ARP Flux generates unexpected behavior of applications due to incorrect mapping between IPv4 addresses and MAC addresses.

    FIX:
    echo 1 > /proc/sys/net/ipv4/conf/all/arp _ filter
    echo 1 > /proc/sys/net/ipv4/conf/all/arp _ ignore
    echo 2 > /proc/sys/net/ipv4/conf/all/arp _ announce

    echo 1 > /proc/sys/net/ipv4/conf/default/arp _ filter
    echo 1 > /proc/sys/net/ipv4/conf/default/arp _ ignore
    echo 2 > /proc/sys/net/ipv4/conf/default/arp _ announce

    Request:
    Make this settings default,…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. STAS support LDAPs on eDirectory mode

    This feature request is in response to the realization that the STAS Agent cannot establish encrypted LDAP communication to a backend eDirectory server.

    Problem: It is not possible to set up the STAS Agent in eDirectory mode with an encrypted (port 636/tcp) LDAP connection. Only a plain text LDAP over port 389/tcp is supported at this time. (We wrote the year 2021 for all readers).

    Function: Establish the configuration option and support encrypted LDAP communication to eDirectory server over port 636/tcp for the STAS agent of Sophos XG Firewall.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  4. report

    Dear Team

    currently not able to check user wise web and application report like who is using tor proxy or any other web or application.

    example i have downloaded movie from any web but there is no option to find which user have access which application.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  5. version upgrade failure

    Due to a version upgrade failure (conversion failure), the main unit settings were initialized. The impact is enormous, and we hope for improvements such as reverting to the process before the version upgrade.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Hardware  ·  Flag idea as inappropriate…  ·  Admin →
  6. Sophos Connect Client integration with Mac to allow SSL VPN config

    Sophos Connect Client 2.1 integration with Mac to allow SSL VPN config. This currently works great on Windows but is not supported on Macs yet. Why not? Please keep me posted if this changes in the next MR for the XG.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  7. Change in configuration

    I would like to have a feature in XG when there is a successful admin login and if any changes done in XG on admin login.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  8. Auto-reconnect feature for Sophos Connect

    For remote access VPN, when the internet connection fluctuates, the VPN disconnects and users need to re-enter their credentials to connect again. It would be great if there was an auto-reconnect feature which would allow the VPN to reconnect automatically without user intervention when the internet is stable again.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  9. country blocking web server rule

    WAF rules should allow certain countries to be blocked from access.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. font

    Salve, questa è la seconda volta che indichiamo che abbiamo molti problemi nell'utilizzare il servizio standard del Captive portal offerto per la connessione WIFI. In pratica ogni qualvolta viene inserità una password egnerata che contiene caratteri come ELLE oppure I in maiuscolo e minuscolo non si comprende bene cosa inserire. Questa cosa dà molto fastidio! Per favore correggete prima possibile il font o la metodologia soltanto numeri?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support user authentication in rules from WAN to LAN using 2-factor authentication as we do when connecting to user portal

    Currently LAN to WAN is supported, but not WAN to LAN. Checking known users, selecting users, and having them login if they are an unknown user will be a replacement for the https bookmarks removed from the user portal.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. DHCP Options GUI in WebAdmin

    DHCP Options configurable from the GUI (as they are in UTM 9.x) needs to be implemented in XG or it remains an incomplete product.

    Why? One big reason, when managing multiple DHCP scopes, it is inefficient in CLI, need to be able to control this visually. We are managing more and more devices every day in small partner companys, we dont have time to go into CLI mode and make these changes, but a GUI makes it quick and clean to add/modify Voice DHCP Options and more.

    Should be in there!

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. after psiphon blocking user web access not work without the certificate

    after psiphon blocking user web access not work without the certificate so please solution for android phone.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  14. implement cli fast ping

    Some network equipment vendors provide zero interval icmp or tcp ping in the os. This will ping at a rate only limited by the response time of the destination with no delay enforced between pings. This is valuable for identifying packet loss due to problematic cabling or links missed by rate limited ping. At remote offices during diagnostics where this is also not available in the switch it's convenient to have it in the firewall/router rather than having to access a local computer to run psping (-i 0) or similar tool.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. SSLVPN on ARM processor

    New notebooks are now based on ARM processors and they are not able to support SSLVPN

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow use of self signed certificate for LDAP

    The firewall does not currently allow for connecting to LDAP servers with self-signed certificates.
    When connecting to Gsuite LDAP the XG firewall tries to validate the certificate before calling the LDAP server. This validation fails since the certificates are self-signed by Google.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  17. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
  18. hwp filetype scanning support in sandstorm

    The customer wants hwp file type scanning support in a sandstorm.

    As of now, we don't support the hwp scanning in a sandstorm.

    0 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Revert subject of gateway status notification e-mails back to SFOS 17 style

    We use a RMM that allows us to assign an incoming alert e-mail to a specific client based on the subject, which we labeled the gateway name on the Sophos appliance based on the client ID and ISP, for example "XYZ Comcast". When a client's Sophos appliance with SFOS 17 would report an interface is down via e-mail, the ticket would be assigned to client XYZ in our RMM due to the subject: Gateway XYZ Comcast Went Down or Gateway XYZ Comcast Went Up

    With SFOS 18 the subject is now "ALERT Sophos XG Firewall - Gateway status" and…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Blocked sender list should only be applied to incomming mails

    The email address block list is (since Firmware 18.3 / change ID NC-59396) also applied to mails from our internal mail server to external smtp servers. Adding the local domain to the block sender list is not possible. We cannot ensure that mails from external senders, using our domain as sender address (=email address fraud) will be rejected. The sender block list should be applied to mails from WAN sources.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.