XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. SSL VPN with seperate DHCP scopes

    I would like to see in IPSEC and SSL the option to set each SSL remote configuration to be able to have it's own DHCP server, for example I want this group of users on SSL to use one DHCP server and scope and another set of users to use a different DHCP Scope.
    This would help when trying to isolate networks across domains.

    18 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  2. STAS: Install on Server Core

    Hi,

    We need an option to install STAS on Server Core (command line mode).

    Thanks

    49 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. e-mail spoofing protection

    Dear All,

    This product already has integration with domain environments and it will be really great to have functionality to check for existing mailboxes. In case appliance receive an e-mail with randomly generated recipient (real domain with fake user part) it will discard it asap.

    I'm not familiar with how it should be properly implemented (may be exchange integration needed), but it will be really awesome functionality!

    18 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Cloudflare

    I have moved almost everything over to cloudflare. Being able to have XG update it automatically would be great.
    API here
    https://api.cloudflare.com/

    DNS-O-Matic also supports cloudflare and many others.

    21 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Dynamic DNS Providers  ·  Flag idea as inappropriate…  ·  Admin →
  5. CLI and WebAdmin authentication with Radius or LDAP account

    I want to file a feature request for the ability to use AD/LDAP/Radius authentication on XG Console and SSH Session.
    Support has confirmed this is currently not an option.

    The reason for this feature request is for compliancy reasons, in other words, to be able to see which Admin user has made changes to the config when using Console or SSH session.
    We have some customers who want to know exactly WHICH admin has made changes, at WHAT time and from WHICH IP-address.

    Currently the only option is to use the local admin account which of course does not give…

    32 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. Create LAG withouth setting IP interface

    XG forces you to set an IP (v4|v6) interface when you create a LAG. This is OK if you plan to use just the LAG without VLANs or with an untagged VLAN.

    BUT, if you don't use untagged VLAN and only tagged ones, you just have to configure some unused IP subnets just to please the web configurator.

    XG should may be warn but allow you to configure a LAG without setting the IP interface

    56 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. XG: Allow SPX Data protection rules to use keywords

    On the XG - version 16 in MTA mode you can only use predefined CCLs and are limited in what you can look for in Data protection to encrypt emails.

    Like legacy mode and version 15 - you can use a keyword to encrypt emails. For example any emails with Subject: [Encrypt] - SPX encrypt this email. This is a very crucial feature that should exist.

    Sent on behalf of client.

    33 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. SSL VPN Reports should include the timestamp of when the user connects and disconnects

    SSL VPN Reports should include the Timestamp of when the user connects and disconnects.

    This feature needs to be added.

    222 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    32 comments  ·  VPN and RED  ·  Flag idea as inappropriate…  ·  Admin →
  9. Native AWS VPC VPN Support

    The UTM supports auto-setup of site-to-site VPNs with AWS using the AWS provided config files, but XG does not. Dynamic routing is a requirement if you wish to terminate multiple AWS VPNs from the same AWS Zone. This is currently not possible, not just automatically using the AWS config file, but even manually because the XG will not let you assign a link local (APIPA 169.254/16) address to any interface, which Amazon requires for BGP.

    13 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Restrict User Portal Access to some users (local ou AD)

    Customers sometimes don't want all users to access the User portal.
    it would be nice if there is a check button within the user profile to allow or not access to User Portal for each user or group as well.

    56 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  11. Time-based be 1min or 5 min interval instead of 15 minutes

    XG time-based policy is in 15 mins interval. Once cannot schedule 7:40 or 9:50.
    If the scheduling was in 1min interval or 5min interval, it will be possible.

    22 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. Sophos Access Points to remain working even if XG is unreachable

    The downside we have identified for Sophos APs is that if a remote office with Sophos APs is connected to head-office XG via VPN and everything routes through the VPN, when connectivity is lost, the APs go offline and the remote offices cannot even access their local devices (e.g. printers / local NAS) via WiFi.
    This makes a WAN issue into a much larger impact as the remote offices are unable to work effectively.

    This request is that when XG is not reachable by the AP, it will fallback into an admin defined mode. e.g. if normal mode is bridged…

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. Clientless Users Surfing Quota (Recurring )

    We have a Requirement for having a Surfing Quota option for Clientless users . This would block all Web traffic instead of Logging out the user from Live connections .Since its Clientless but with benefits of an Client based users.

    18 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. pattern/expression filter for SMTP Protection

    Ability to filter email based on a word search. Would be nice to have a list of prohibited words that if the SMTP scanner sees the word, the email could be filtered or dropped, etc.

    29 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. Bridge like UTM9

    XG has some limitations when it is working as bridge:
    Dynamic DNS
    Multicast Routing
    DHCP Client
    IPsec VPN
    VLAN
    Virtual Host
    PPPoE
    Bridge (a Bridged Interface cannot be a member of Bridge)
    Have a look at this Kb for more information: https://community.sophos.com/kb/en-us/123276
    This will prevent XG to be installed in such environments that cannot be modified but those features are needed.
    Competition does not have this kind of problem.

    129 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Reason for email quarantine in quarantine list

    It would be great to use the GUI to see at a glance the reason for why an email was sent to the quarantine. Currently the easiest way to do this in the GUI is to un-check all of the "filter-by" options and check them one by one until you find the reason.

    Ideally an additional column would be added to the list that states the reason (Blocked Source IP, Spam, Infected, etc.). It would also be nice if the UI of the email filter section was brought inline with other parts of the XG, such as the live users…

    93 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Register Guest Users via Email Authentication & Delivery Method

    With the current method of Guest User Registration you can only manually register users yourself or Users have to register their phone number and get a text message which can be complex, painful to set up and costly in the long term.

    We need more options for Guest User registration, ideally via email would be the best fall back. Although the user will be wanting to connect via the WiFi because it would be better than their data, they should generally have enough data capability to receive an email. This would be simple and low cost to set up, additionally…

    32 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. Notify sender when email is rejected after acceptance

    Accepted e-mails may never be lost.

    If an assumed e-mail is discarded due to an e-mail policy, a notification to the sender must be made. False positives always occur.

    If an e-mail is rejected by the "Spam Protection" or "File Protection" policy, there is no way to inform the sender. The same applies to the RDNS tests, also the sender is not notified here.

    The reason:
    In Germany, an invoice can be sent by e-mail, even if the reminder is not respected, the court order for payment can be opened at the dunning court. About the statement "My firewall has…

    42 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Email Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. Anti-malware between zones for all protocols

    XG is able to filter malware only if FTP/HTTP/HTTPS protocols are used. Engines are there but cannot be used to scan traffic between zones if the protocols are not FTP/HTTP/HTTPS.
    Please allow Admins to enable malware scan on different protocols (for example scanning CIFS/SMB).
    Thanks

    45 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. Netflow timeout value

    Add a parameter in Netflow where we can specify the timeout for an active or inactive flow. Actually you send just one flow for the total flow and so we cannot graph the flow.

    24 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.