DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org

With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.

Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of

- using the Sophos Home cloud to create integrated reporting
- the ability to use XG as an OpenVPN client so all traffic is protected
- the ability to use sandstorm

Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.

The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV

XG16 VMs running undr libvirt w/ qemu-kvm won't shutdown on request.
Afaik a virsh shutdown sends an ACPI shutdown reqesut to the VM.
But XG16 doies not act on the ACPI shutdown request.
No problem with UTM9.

Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

It would be nice to be able to utilize NVMe drives. NVMe native support was added in Linux kernel 3.3. It appears the v16.05 version is utilizing 3.14 currently. Is there a current roadmap for upgrading the kernel 3.3+?

Enable WAF Business rules for incoming IPv6 connections.

All the protection is provided for IPv4 webserver, but hosting on IPv6 bypasses protections

Websocket.

IETF standard. Used by real-time comms on webpages.

DESPERATELY needed. HTTPS Decrypt and Scan basically kills it. Please fix!

hotspot

HotSpot feature lacks logging capabilities.

For example it would be great to autmatically map and log voucher code with IP address of user that was using it and create reports based on this.
Without this it's impossible to audit what traffic was generated by that user.

Same issue is with UTM:
http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/10924653-logging-for-hotspot-vouchers

Thanks,
Lukasz Naumowicz

The new MTA SMTP deployment mode in SFOS v16 lacks the ability to bypass a (or some) sender/recipient from all email protections. At the moment, we can only create a SMTP policy to bypass a destination email domain from email protections, and it is not practical in most situations.
However, in the Legacy SMTP deployment mode, we can create a SMTP scanning policy to bypass certain sender/recipient from all email protections.
It will be great if MTA mode can be implemented with the feature of bypass certain sender/recipient from email protections.

Specify more destination email address in notifications. Now only one!

The email sent to users for Quarantine Digest contains a hyperlink to the User Portal. The link uses the IPAddress and needs to use a hostname.

Is there a way to check the real time bandwidth usage for firewall rules?

So user can distinguish which rule used the most bandwidth and set the proper QoS for it.

Thanks~

Those XG models can be used even on big installation where connection are beyond the 10G. Make sure to provide us more power and fast connection on those in order to be competitive against other vendors.
Thank you.

Provide a JSON API rather than XML. Since the backend config services uses JSON, I'm surprised this wasn't done from the begining.

i have recently migrate my mail server to office365. Now i m unable to connect the mail notification to office365

The download page for authentication clients (System -> Authentication -> Authentication Clients) should display the version that is currently available on the download site to allow for easier comparison to currently deployed client versions.