XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Mixing Wireless Client Traffic Types

    I want to be able to add all my wireless networks to all my access points.
    Currently I cannot mix "Bridge to AP LAN" and "Bridge to VLAN" on the same access point which I could easily do on other wireless systems.

    14 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. TR-069 Provisioning

    Auto-provisioning via TR-069/CWMP protocol to configure wan ip address, firewall rules, management server, etc.

    https://en.wikipedia.org/wiki/TR-069

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. DHCP option 42 (NTP) use DNS name

    DHCP option 42 (NTP) currently can only take static IP. Need to use DNS name as well. So we can use something like pool.ntp.org

    22 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. NAT64 support

    With ipv6 wan interface its not possible to reach an ipv4 (ipv6 is not possible for this specific device) device over the internet. We need an translatoon from ipv6 -> ipv4. business application rules (dnat, waf) does not support mixed ipv4/6. only ipv6 for an ipv6 rule and vice versa.

    49 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  5. Make home license payable but cater to some home user requests

    Perhaps not the most popular suggestion, but I would gladly pay a modest fee (e.g. 50 USD/year to be on par with Untangle) if some user requests could be fulfilled. I think of


    • using the Sophos Home cloud to create integrated reporting

    • the ability to use XG as an OpenVPN client so all traffic is protected

    • the ability to use sandstorm

    Then again : a big thank you for making the software free to use. Based on this policy, I was able to recommend at least 15 small business to move to Sophos.

    17 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. XG as OpenVPN client

    The ability for XG to act as an OpenVPN client with the ability to open separate tunnels based on destination country would be great.
    I fully realize this functionality is probably most relevant for - non paying - home users so I ask this with a lot of diffidence.

    27 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for DNScrypt

    Is it possible to add DNScrypt-support please ? Everything that can be done to make DNS more secure is urgently needed :)

    36 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. DHCP client Option 60 on WAN Interfaces (for IPTV in Singapore)

    In singapore the IPTV Services requires DHCP Option 60 to be a specific string before the DHCP Server assigns an IP Address.
    With an option to send a DHCP Option 60 together with the DHCP Discover packet would be great to have, to enable the XG Firewall to get an IP Address form the ISP's DHCP for IPTV

    31 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  9. Weak hand shake - SSL VPN

    Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
    Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
    3DES-EDE is known to be weak.
    I think this is a serious problem for such a nice firewall.
    Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/

    40 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. WebSocket

    Websocket.

    IETF standard. Used by real-time comms on webpages.

    DESPERATELY needed. HTTPS Decrypt and Scan basically kills it. Please fix!

    52 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. HotSpot logging

    hotspot

    HotSpot feature lacks logging capabilities.

    For example it would be great to autmatically map and log voucher code with IP address of user that was using it and create reports based on this.
    Without this it's impossible to audit what traffic was generated by that user.

    Same issue is with UTM:
    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/10924653-logging-for-hotspot-vouchers

    Thanks,
    Lukasz Naumowicz

    60 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. XG MTA mode - bypass a sender/recipient address or domain from email protection

    The new MTA SMTP deployment mode in SFOS v16 lacks the ability to bypass a (or some) sender/recipient from all email protections. At the moment, we can only create a SMTP policy to bypass a destination email domain from email protections, and it is not practical in most situations.
    However, in the Legacy SMTP deployment mode, we can create a SMTP scanning policy to bypass certain sender/recipient from all email protections.
    It will be great if MTA mode can be implemented with the feature of bypass certain sender/recipient from email protections.

    134 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. A way to check the real time bandwidth usage for rules

    Is there a way to check the real time bandwidth usage for firewall rules?

    So user can distinguish which rule used the most bandwidth and set the proper QoS for it.

    Thanks~

    216 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. JSON API

    Provide a JSON API rather than XML. Since the backend config services uses JSON, I'm surprised this wasn't done from the begining.

    26 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. Display current client version of Authentication Client Downloads

    The download page for authentication clients (System -> Authentication -> Authentication Clients) should display the version that is currently available on the download site to allow for easier comparison to currently deployed client versions.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Reverse proxy add encodedslashes option

    Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

    Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

    http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

    This is essential for Web Applications like SAP Fiori! I think we not the only company who have this issue.

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Webserver Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Policy Routing based on Web Categories and/or Applications

    it could be very nice to have the ability to make the routing decision based on the Web Category (Applications too) within the web policy (or apps filter) for exemple, so we can use the main Wan or Gw for business related and productive categories and Apps and all the rest goes through the secondary Wan connexion usually used for backup for exemple. and it can be blocked if primary wan or gw is down so the backup wan or gw gets used for the business traffic.

    76 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Synchronized Security (Heartbeat)  ·  Flag idea as inappropriate…  ·  Admin →
  18. Support Outlook 2016 with SPX outlook add-in

    Currently XG is still using version 1.3 of the outlook plug-in which does not support Outlook 2016. Can you please update the plugin/add-in on the XG User portal.

    22 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Rogue access point detection

    The Sophos XG firewalls should be able to detect rogue access points with APs connected the same way the models with built in wireless do.

    62 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. RED - New models with higher throughput

    Hey Guys, are there any plans for new RED Devices? Maybe a VPN throughput about 1000 MBit/s.
    Thanks

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.