Sophos Firewall Feature Request 2024
We work with Sophos Firewall every day, and our customers regularly tell us which security and usability features they miss. Based on this experience and feedback, we have compiled a detailed list. We summarize this feedback here in the Sophos Firewall Feature Request.
Let’s Encrypt Support
This is the most frequently requested feature, which many have been waiting for over three years. With Version 21, which is expected to be released around October, this feature will finally be included.
Renaming objects
Currently, it is unfortunately not possible to rename certain things on the firewall. Here are a few examples:
- Site-to-Site IPsec connections
- Zones
- DHCP Server
- IPS Rules
This feature would be extremely useful for keeping configurations clearer and better organized.
If, for example, you want to rename a Site-to-Site VPN connection, you have to delete it and create a new one, just to change the name.
Responsive GUI
With the update to Version 20, the GUI was somewhat optimized for widescreen monitors to reduce white space. This was already a very frequently requested Sophos Firewall feature request.
Nevertheless, our customers would like a fully responsive interface that also looks good on tablets and mobile devices. Especially on small monitors and with 4K resolution, there is still room for improvement.
Backend Performance
The GUI is slow. Especially on smaller firewall models, the devices often respond very slowly, particularly when saving firewall rules. There is still a lot of room for optimization here to improve the user experience.
One example: saving a firewall rule on an XGS 126 with SFOS v20 takes too long.
The interfaces take a similarly long time to load, and the dashboard takes about twice as long.
Grouping NAT rules
It is possible to group firewall rules to organize them better. However, this feature is missing for NAT rules. Here, too, a grouping option would be a useful Sophos Firewall feature request.
Clone NAT rules
While the feature for cloning firewall rules already exists, this useful option is missing for NAT rules. It would be very helpful if NAT rules could also be cloned to make configuration faster and more efficient. This is a Sophos Firewall feature request we often hear from our customers.
Customize and save Log Viewer
The Log Viewer allows you to add or remove columns to make logs easier to read. It would be helpful if these settings could be saved so that the next time you open the Log Viewer, your preferred column view is already available.
Integrated Speed Test
An integrated speed test that can be run directly from the firewall is high on the wish list of many users. Other manufacturers already offer this capability, making it possible to run speed tests across different interfaces directly from the firewall or schedule them to run at specific times.
Hide warnings in the dashboard
Warning messages or alarms are displayed in the dashboard, but they cannot be hidden. Many users want the ability to mark these messages as seen so that they are not permanently displayed.
Import multiple objects simultaneously
The ability to import multiple objects at the same time would be a valuable addition. Currently, IP lists can be imported, but URL lists or multiple networks cannot. This feature would significantly improve efficiency, especially for exceptions for Microsoft services, where many networks or URLs need to be listed.
Links to Firmware Release Notes
For firmware updates for RED or Access Points, there is currently only an “Install” button in the backend, without detailed information about the changes. This leaves administrators with the problem that they do not know what changes or improvements the new firmware includes. This is particularly problematic because there is no rollback option if problems occur after installation.
A direct link to the release notes would therefore be a very practical Sophos Firewall feature request. It would allow you to check the changes before installation and better assess the risks or benefits of the update. Currently, you have to search for details in the Sophos Community, which takes additional time.
Auto Block Attack
A related feature that is easy to imagine is the password security mechanism that triggers a temporary lockout after too many failed login attempts. Most administrators are familiar with this mechanism, and it is already used by Sophos Firewall.
This mechanism blocks login after a certain number of failed attempts and locks access for a defined period. A similar firewall feature would be extremely useful to automatically block IP addresses if multiple suspicious activities are detected within a short time.
A similar method is also used by Fail2Ban, a program that checks logs and blocks IP addresses that show certain predefined patterns of attacks or suspicious activity. Fail2Ban protects systems from brute-force attacks and other threats by automatically blocking attackers.
It is obvious that such an automatic blocking feature would also be extremely useful for Sophos Firewall. Currently, the Intrusion Prevention System (IPS) detects suspicious activity and blocks it, but the attacker can continuously repeat the attempts. Each suspicious activity triggers a notification, and the administrator must intervene manually to block the IP address.
An autoblock mode, where the administrator can set an IP address to be blocked for 15 minutes, an hour, or even longer, would significantly increase efficiency and security. If the firewall detects several suspicious activities from a specific IP address within one minute, it would be sensible to automatically block this IP for a certain period. The administrator could maintain the blacklist at any time and remove the address if necessary.
By introducing such an autoblock module, the firewall would provide even more effective protection against repeated attacks while reducing the administrator’s workload.
It would then once again be machine against machine, because most attack attempts today are carried out by bots or automated systems. Behind the Sophos Firewall, however, there is still an administrator who has to handle such events manually to prevent further requests.
Bad IP Blocker Feeds
In the upcoming Firewall Version 21, it should be possible to implement predefined lists to block access to dangerous IP addresses. This means that if someone internally tries to access a known dangerous IP address, that access will be automatically blocked. In future versions, these lists will be supplemented by third-party providers. Unfortunately, only outbound connections are checked against these lists.
A great extension would be to add feeds to the firewall that contain IP lists to block known dangerous IPs for incoming connections as well. This could apply to NAT rules, VPN requests, user portal requests, and other services.
For the Web-Application Firewall, there is already a similar function called “Block clients with bad reputation,” which does the following:
It blocks clients that have a bad reputation due to real-time blackhole lists (RBLs) and GeoIP information. Skipping remote queries for clients with a bad reputation can improve performance. For RBLs, Sophos Firewall uses Sophos Extensible List (SXL) and SORBS. For GeoIP, it uses Maxmind. Sophos Firewall blocks clients that fall into categories A1 (anonymous proxies or VPN services) and A2 (satellite ISPs).
The desired feature would therefore be the ability to subscribe to custom RBL feeds, for example from well-known vendors or from GitHub.
Such an extension would significantly increase the security of the firewall and its services by effectively protecting not only outbound but also inbound connections against known threats.
Disable Wireless Service
Although there is an option to disable the Wireless Service, this is displayed as an error. A warning message then appears in the dashboard:
This means that even if the administrator intentionally disables the service to conserve resources or for other reasons, the firewall interprets this as a problem and displays an error message. It would therefore be desirable to have a way to disable the Wireless Service without it appearing as an error in the dashboard.
Feedback to us
In this post, we have compiled the most common Sophos Firewall feature requests that we have collected in recent months. In doing so, we have considered both the wishes of our customers and the features that would help us make the setup and maintenance of numerous customer firewalls more efficient.
If you have any further suggestions or wishes, please send us your feedback via the contact form. We will update this blog post regularly so that it continues to reflect the latest needs and requirements.
A roadmap is no guarantee
You should never buy a product just because a manufacturer promises that the feature you want will be added in a future update.
With Sophos, it is no different. The roadmap is about as reliable as the weather forecast or horoscopes. Features are added and removed, services are presented at roadshows, or items are written into product data sheets with the note (coming soon), which means absolutely nothing. I could write a separate post about Sophos announcements that never materialized. In addition, Sophos is unfortunately not one of those vendors that listens to users and then develops features accordingly; that would be completely absurd. It is better to chase the next hype from Gartner analysts, what shareholders want to hear, or what the competition is doing.
I think that should make everything clear, and I have nipped false hopes in the bud.
