AdminStuart Hatto, XG Product Manager
(Admin, Sophos Features & Ideas Laboratory)
My feedback
-
4 votes
An error occurred while saving the comment -
972 votesUnder Review · 105 comments · XG Firewall » Webserver Protection · Flag idea as inappropriate… · Admin →
An error occurred while saving the comment Let's Encrypt support is in our current (2021) backlog, and we are currently planning the supporting version. No committed delivery at this time. We do understand the usefulness of the feature.
Stuart
-
41 votes
An error occurred while saving the comment Wanted to respond that the RN (https://docs.sophos.com/nsg/sophos-firewall/18.0/releasenotes/en-us/nsg/sfos/releaseNotes/MR3.html) documents this well. Also the CLI guide has been updated.
-
20 votes
An error occurred while saving the comment Hi, the RFCs do allow for the sending of a reject message, but only before the connection is dropped. So after the DATA transfer is ended, we could scan the content, determine it was spam and send a 550 (reject for policy reasons) to the sender, then close the connection. I see a couple of issues I need to think through. Firstly, scanning of an attachment, especially using Sandstorm could take a considerable period of time - I have a concern on resource exhaustion. Second, if the mail is delivered via an intermediate relay it will be the relay that gets the reject, not the originating sender.
I have asked our XG MTA engineering team to have a look at this for possible inclusion. The usual caveats apply, this is not a commitment, and I have no timescales.
Stuart
-
34 votes
An error occurred while saving the comment Hi Angel, thank you for your suggestion. This capability is under consideration at this time. It is likely that as we move RED management into Central that the RED device will need a local configuration backup. This will eliminate the need for RED to contact the XG gateway for configuration.
This is still a roadmap item and at this time no timeframe is committed.
Thanks again for your suggestion,
Stuart -
4 votes
An error occurred while saving the comment Kenya and Kyrgyzstan are both included in the GeoIP DB under Africa and Asia
-
7 votes
An error occurred while saving the comment GCM and Suite-B Cipher Suites are in our roadmap and under consideration for v18.5 but not yet committed.
-
1 vote
An error occurred while saving the comment Can you expand on this please?
If you are allowing access via SSLVPN and have set your firewall rules to allow access how do you envisage that the XG firewall would stop copy and paste of data? This is an issue better policed with an Acceptable Use Policy.
You can block the copying of files and folders in a firewall policy associated to the SSLVPN users - block access to SMB, NFS etc. If you allow these protocols in your policy then the firewall cannot block these activities
-
13 votes
An error occurred while saving the comment Mobile devices should use TCP 587 (submission) to send eMails, not SMTP, submission implies authentication. https://en.wikipedia.org/wiki/SMTP_Authentication#Role_in_the_mail_transport_system
https://en.wikipedia.org/wiki/Message_submission_agent
RFC6409 defines Message Submission and is the current Internet Standard – it is updated by RFC 8314 which mandates encryption for Submission. (currently a proposed standard)
We added TCP587 to the SMTP(S) service object in v17.5 and so this can be used to direct traffic to the internal MTA via a firewall rule and DNAT.This would therefore be rejected as a feature request.
XG does support authenticated relay for MTA to MTA of course.
Stuart Hatto
XG Product Manager
Oliver, this is on our backlog but no commit date as yet
Stuart