XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Bridge like UTM9

    XG has some limitations when it is working as bridge:
    Dynamic DNS
    Multicast Routing
    DHCP Client
    IPsec VPN
    VLAN
    Virtual Host
    PPPoE
    Bridge (a Bridged Interface cannot be a member of Bridge)
    Have a look at this Kb for more information: https://community.sophos.com/kb/en-us/123276
    This will prevent XG to be installed in such environments that cannot be modified but those features are needed.
    Competition does not have this kind of problem.

    129 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. Reason for email quarantine in quarantine list

    It would be great to use the GUI to see at a glance the reason for why an email was sent to the quarantine. Currently the easiest way to do this in the GUI is to un-check all of the "filter-by" options and check them one by one until you find the reason.

    Ideally an additional column would be added to the list that states the reason (Blocked Source IP, Spam, Infected, etc.). It would also be nice if the UI of the email filter section was brought inline with other parts of the XG, such as the live users…

    88 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Register Guest Users via Email Authentication & Delivery Method

    With the current method of Guest User Registration you can only manually register users yourself or Users have to register their phone number and get a text message which can be complex, painful to set up and costly in the long term.

    We need more options for Guest User registration, ideally via email would be the best fall back. Although the user will be wanting to connect via the WiFi because it would be better than their data, they should generally have enough data capability to receive an email. This would be simple and low cost to set up, additionally…

    32 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. Notify sender when email is rejected after acceptance

    Accepted e-mails may never be lost.

    If an assumed e-mail is discarded due to an e-mail policy, a notification to the sender must be made. False positives always occur.

    If an e-mail is rejected by the "Spam Protection" or "File Protection" policy, there is no way to inform the sender. The same applies to the RDNS tests, also the sender is not notified here.

    The reason:
    In Germany, an invoice can be sent by e-mail, even if the reminder is not respected, the court order for payment can be opened at the dunning court. About the statement "My firewall has…

    41 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Anti-malware between zones for all protocols

    XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
    Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
    Thanks

    45 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Netflow timeout value

    Add a parameter in Netflow where we can specify the timeout for an active or inactive flow. Actually you send just one flow for the total flow and so we cannot graph the flow.

    23 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. OpenVPN like SSL APP for Android / IOS

    SSL Client APP for Android / IOS

    Sophos should develop its own APP for mobile devices instead of using openvpn app, which is currently causing connectivity problems with Sophos XG SSL VPN. Competitors like Fortinet, SonicWall etc have their own app.

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. MTU size detection based on neighboring device.

    MTU size auto detect based on neighboring device.
    Based on knownledge base article https://community.sophos.com/kb/en-us/124282.
    It is troublesome to have to manually change the MTU and MSS size. According to ISP.
    This problem is very commonly happen to Malaysian ISP where the MTU and MSS changes reandomly.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  9. Multiple search domains with SSL VPN

    Some other products allow for multiple search domains/search suffixes. This would be a good feature to implement in the XG.

    16 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  10. IPSEC and SSLVPN site-to-site auto fallback to primary link

    VPN tunnel (both SSL and IPSEC) does not revert to its primary WAN interface, manual disable and reenable the Failover group/SSLVPN Client status for the tunnel to be established via Primary WAN interface.

    23 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. ethernet ip below pppoe interface

    Allow setting an IP address to the ETH interface below the PPPoE interface for access to the modem/router configuration in that interface, this has been a huge oversight since UTM.
    Right now the only way to Access the modem is to turn the interface to a standard Ethernet and config the correct IP to access the modem, which is cumbersome, needs reconfiguration and breaks the connection(no way to monitor the modem with the PPPoE connection up)

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. User bookmarks in clientless portal

    it would be great to allow user to add their own bookmarks or to allow group bookmark AND user bookmarks on admin interface for a given user.
    at the moment, you can only give access to a group bookmark.

    since SMB bookmark seems to need authentification (at least i was not able to make them work without automatic login), each user needs a different group of bookmarks!
    it's a mess and a considerable amount of work.

    13 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Integrate other Sophos tools (Sophos Home and Sophos Android Security) to be controlled through XG

    I would like to see the other Sophos security tools cooperate better with XG firewall. For instance:

    I would like to see Sophos Home integrated into the Security Heartbeat feature and allow endpoints with Sophos home to report their status, like it appears on the website. Also, any configuration that can be done on the Sophos home website should be available via the XG interface. It would also be nice if the Sophos Home software on and endpoint can detect that it is internal to the XG firewall and defer security settings to the XG, while becoming fully active when…

    36 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability for the Authentication Agents to provide warnings to users

    It would be nice if the firewall would push down warnings to users through the authentication agents of pending quotas or schedules or any system action that will cause the user to be logged out of the firewall. Right now, when a logout event is reached, the user is logged off the firewall with no warning. For users of online services, this does not give them a chance to save work before connection to the internet is lost.

    For instance:

    Provide a popup from the authentication agent when there is 5 minutes (configurable) left before automatic logout due to a…

    9 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication clients  ·  Flag idea as inappropriate…  ·  Admin →
  15. Implement support for dynamic/public IP/URL blacklist feeds

    Alienvault has OTX (Open Threat eXchange) and there's https://intel.criticalstack.com/.
    There's also a very big player, Palo Alto Networks that provides Minemeld (see links at bottom of this post).

    They all provide public feeds of known hostile IP addresses/ranges and URL's*.

    I would really like to be able to make use of such feeds so I can create specific rules on my firewall to block all incoming traffic from these sources and possibly outgoing URL requests to known C2 servers.

    If this blocked traffic (the outgoing attempts) is logged in a specific log, it would have the additional benefit of…

    53 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow ICMP request from WAN on Public Alias IP Address

    Hi,

    on WAN port we have multiple alias public IP Address. now i want to allow ping only particular alias IP Address from outside world to check the wether the Server is up or down purpose.

    so please include this feature XG Firewall.

    we have urgent requiremnt for this because we are in ISP businees so we want to allow ping request from any source.

    Regards,
    Kamal Patel

    24 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Users to have ability to manage emails Whitelist and Blacklist via User Portal and quarantine report .

    Users to have ability to manage emails Whitelist and Blacklist via User Portal and quarantine report .

    303 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    36 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. Heartbeat: Drop to next rule on heartbeat failure

    I would like to suggest that with heartbeat enbaled that when someone is Red or no heartbeat that there is an option to either block internet access, or to drop next policy in the list

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
  19. Email Protection: Implement SPF and Header functionality into Sophos XG

    Hi Sophos, for Security and anti Spam enhancement please include the spf check and header modification functionality in your xg firewall.

    196 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add packet tracer feature

    A feature like Cisco's ASA Packet Trace utility will be very nice. I like the XG firewalls but I really miss the Packet Tracer. Here's a little bit about it:

    https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

    I like it because you don't need to setup test hosts - the test packet virtually injected from the appliance itself.

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.