DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org15 votes
With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.29 votes
Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of
- using the Sophos Home cloud to create integrated reporting
- the ability to use XG as an OpenVPN client so all traffic is protected
- the ability to use sandstorm
Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.15 votes
The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.22 votes
Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)27 votes
In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV11 votes
XG16 VMs running undr libvirt w/ qemu-kvm won't shutdown on request.
Afaik a virsh shutdown sends an ACPI shutdown reqesut to the VM.
But XG16 doies not act on the ACPI shutdown request.
No problem with UTM9.2 votes
Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/31 votes
It would be nice to be able to utilize NVMe drives. NVMe native support was added in Linux kernel 3.3. It appears the v16.05 version is utilizing 3.14 currently. Is there a current roadmap for upgrading the kernel 3.3+?4 votes
Enable WAF Business rules for incoming IPv6 connections.
All the protection is provided for IPv4 webserver, but hosting on IPv6 bypasses protections25 votes
IETF standard. Used by real-time comms on webpages.
DESPERATELY needed. HTTPS Decrypt and Scan basically kills it. Please fix!41 votes
HotSpot feature lacks logging capabilities.
For example it would be great to autmatically map and log voucher code with IP address of user that was using it and create reports based on this.
Without this it's impossible to audit what traffic was generated by that user.
Lukasz Naumowicz39 votes
The new MTA SMTP deployment mode in SFOS v16 lacks the ability to bypass a (or some) sender/recipient from all email protections. At the moment, we can only create a SMTP policy to bypass a destination email domain from email protections, and it is not practical in most situations.
However, in the Legacy SMTP deployment mode, we can create a SMTP scanning policy to bypass certain sender/recipient from all email protections.
It will be great if MTA mode can be implemented with the feature of bypass certain sender/recipient from email protections.77 votes
Specify more destination email address in notifications. Now only one!31 votes
The email sent to users for Quarantine Digest contains a hyperlink to the User Portal. The link uses the IPAddress and needs to use a hostname.72 votes
Is there a way to check the real time bandwidth usage for firewall rules?
So user can distinguish which rule used the most bandwidth and set the proper QoS for it.
Those XG models can be used even on big installation where connection are beyond the 10G. Make sure to provide us more power and fast connection on those in order to be competitive against other vendors.
Thank you.8 votes
Provide a JSON API rather than XML. Since the backend config services uses JSON, I'm surprised this wasn't done from the begining.18 votes
i have recently migrate my mail server to office365. Now i m unable to connect the mail notification to office36518 votes
The download page for authentication clients (System -> Authentication -> Authentication Clients) should display the version that is currently available on the download site to allow for easier comparison to currently deployed client versions.5 votes
- Don't see your idea?