XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. DHCP option 42 (NTP) use DNS name

    DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org

    15 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. NAT64 support

    With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.

    29 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. Make home license payable but cater to some home user requests

    Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of

    - using the Sophos Home cloud to create integrated reporting
    - the ability to use XG as an OpenVPN client so all traffic is protected
    - the ability to use sandstorm

    Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.

    15 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. XG as OpenVPN client

    The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
    I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

    22 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Dnscrypt

    Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

    27 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. DHCP client Option 60 on WAN Interfaces (for IPTV in Singapore)

    In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
    With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV

    11 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. shutdown for XG VMs running on libvirt w/ qemu-kvm

    XG16 VMs running undr libvirt w/ qemu-kvm won't shutdown on request.
    Afaik a virsh shutdown sends an ACPI shutdown reqesut to the VM.
    But XG16 doies not act on the ACPI shutdown request.
    No problem with UTM9.

    2 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. Weak hand shake - SSL VPN

    Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
    Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
    3DES-EDE is known to be weak.
    I think this is a serious problem for such a nice firewall.
    Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

    31 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. NVMe support - Kernel Upgrade

    It would be nice to be able to utilize NVMe drives. NVMe native support was added in Linux kernel 3.3. It appears the v16.05 version is utilizing 3.14 currently. Is there a current roadmap for upgrading the kernel 3.3+?

    4 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  10. IPv6 WAF Support

    Enable WAF Business rules for incoming IPv6 connections.

    All the protection is provided for IPv4 webserver, but hosting on IPv6 bypasses protections

    25 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. WebSocket

    Websocket.

    IETF standard. Used by real-time comms on webpages.

    DESPERATELY needed. HTTPS Decrypt and Scan basically kills it. Please fix!

    41 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. HotSpot logging

    hotspot

    HotSpot feature lacks logging capabilities.

    For example it would be great to autmatically map and log voucher code with IP address of user that was using it and create reports based on this.
    Without this it's impossible to audit what traffic was generated by that user.

    Same issue is with UTM:
    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/10924653-logging-for-hotspot-vouchers

    Thanks,
    Lukasz Naumowicz

    39 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. XG MTA mode - bypass a sender/recipient from email protection

    The new MTA SMTP deployment mode in SFOS v16 lacks the ability to bypass a (or some) sender/recipient from all email protections. At the moment, we can only create a SMTP policy to bypass a destination email domain from email protections, and it is not practical in most situations.
    However, in the Legacy SMTP deployment mode, we can create a SMTP scanning policy to bypass certain sender/recipient from all email protections.
    It will be great if MTA mode can be implemented with the feature of bypass certain sender/recipient from email protections.

    77 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Emal Notification

    Specify more destination email address in notifications. Now only one!

    31 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. User Portal link in quarantine digest need to use hostname

    The email sent to users for Quarantine Digest contains a hyperlink to the User Portal. The link uses the IPAddress and needs to use a hostname.

    72 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. A way to check the real time bandwidth usage for rules

    Is there a way to check the real time bandwidth usage for firewall rules?

    So user can distinguish which rule used the most bandwidth and set the proper QoS for it.

    Thanks~

    160 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add 40GE QSFP+ slots on XG650/XG750

    Those XG models can be used even on big installation where connection are beyond the 10G. Make sure to provide us more power and fast connection on those in order to be competitive against other vendors.
    Thank you.

    8 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. JSON API

    Provide a JSON API rather than XML. Since the backend config services uses JSON, I'm surprised this wasn't done from the begining.

    18 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  19. I want to connect my E-mail notification with office365

    i have recently migrate my mail server to office365. Now i m unable to connect the mail notification to office365

    18 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
  20. Display current client version of Authentication Client Downloads

    The download page for authentication clients (System -> Authentication -> Authentication Clients) should display the version that is currently available on the download site to allow for easier comparison to currently deployed client versions.

    5 votes
    Sign in
    (thinking…)
    Sign in with: sso facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.