Everyone Please Read!!! Sophos Removed a Feature with No Notice

Hello everyone,

Most may not realize this because you don't use it, but Sophos has decided to remove a feature from our firewall with no notice at all.

They have removed the HTTP/HTTPS bookmark feature from clientless access on V17.X. This feature removal was previously announced and told it would be in an upcoming major release, I.E. V18. It would not affect V17.

Over the past weekend, Sophos decided to remove the feature from any device running V17.x. They did so with no notice at all. The hotfix was deployed the same day the notification was released. Here is the notification https://community.sophos.com/products/xg-firewall/b/blog/posts/sophos-xg-firewall-http-s-bookmarks-feature-retirement.

This feature may not matter to you, but I bring it up beacuse our firewall vendor decided to remove a feature from a production product with no notice whatsoever. I tagged  and  in the comments but did not get a response.

If Sophos will remove that feature with no notice, what will they do in the future? What an unbelievable move from a firewall vendor. We use this feature and have no alternative right now. WAF does not suport 2FA and we cannot install a VPN client as we don't own these machines.

Let's all ask for answers! How can Sophos do this with no warning?

Mike

  • There was a notice on XG dashboard for at least half a year that HTTPS Bookmarks will be retired...

  • 100% agree.

    Even if this is a rarely used feature and the technology behind was never meant for large scale deployment, it is a nogo to remove features via hotfix on existing devices.

    it is okay if features are removed in future releases, but it is up to the customer to decide when to upgrade.

     

    from a legal standpoint, the customer has purchased a product for which they have paid money for a feature set at that time. 

    in my opinion, sophos should not be allowed to remove a feature that the customer has paid for without the customer's consent.

    of course, the customer can disable automatic hotfix, but that would heavily reduce the security, in case of real "hotfix" situations.

  • In reply to Samuel Heinrich:

     that notice stated it would be removed in the next major version, which would have been V18, not V17.x. The notice for V17 was posted on June 20th and the hotfix was deployed the same day. That did not give any customer a chance to migrate off of that feature which is unacceptable. The feature should have remained on any firewall running V17.x and the customer would have known if they upgrade to V18, they would lose the feature.

     

     exactly. I knew it would not be available when the units were upgraded to V18, but to remove something with no notice is ridiculous. I did not even have time to disable automatic hotfixes because they pushed it as soon as the notice was posted.

  • In reply to Samuel Heinrich:

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/441667

    Sophos Product Management have also decided to take it upon themselves to exercise their perspective and choices without consent or prior notification either.

    Emile

  • In reply to EmileBelcourt:

     I ran into that issue as well, unfortunately. Still no one from Sophos will comment either. Nothing surprises me anymore with them. We'll me moving away from them when the licensing expires. I've had enough.

  • In reply to FloSupport:

     this is not an answer. This is just stating a vulnerability was found. FIX the vulnerability. Don't take a feature away from a licensed and supported product because product management and development don't want to invest the time into fixing it. V17.5 a fully supported version according to Sophos' support policy. You cannot remove a feature with no notice because it was the easy thing to do. I need it back or I need WAF to support 2FA, plain and simple. My issue will not be resolved until either of those happen, and I will continue to open support cases until it is resolved.

  • In reply to MichaelBolton:

    Adding my two cents here.

    If v17 is still officially supported then removing a feature because it has a vulnerability is a very poor choice indeed.

    I'm a Tier-3 network engineer for a Fortune-X company and I would be exceedingly concerned if one of our vendors did something like that. Since I'm a Sophos-home user it would be mostly a nuisance, but in the corporate world we're in a different league.

  • In reply to Arie:

     thanks for for post. We do use Sophos devices in a corporate environment, unfortunately. These devices have current support contracts as well. It is a red flag for a vendor do this and one that will push us away from them. This opens the door for any feature to be removed if a vulnerability is discovered. I just can't understand how they think that is ok to do.

  • In reply to MichaelBolton:

     Thanks for confirming that.

    I'm periodically asked about Sophos by other teams at the aforementioned Fortune-X company and so far I have not felt comfortable recommending the Sophos line-up. Too many issues like this, too many quirks, too many outstanding (very old) feature requests, and too little emphasis on meeting security requirements like PCI-DSS. And the update cadence...

    Problems with the Sales Dept as well - try asking how to run a single license for InterceptX on a client machine with multiple users in an EDU-setting. According to the License Agreement this is an option, but Sales can't seem to figure this out.

    For small companies, non-profits, and schools Sophos may be a viable option. But I'm not ready to stake my reputation on it for larger companies yet.

  • In reply to Arie:

     I have had too many issues with them as well. I would not recommend them for anything over a small business.

    I am still waiting for them to get the XG platform FIPS 140-2 certified. I was told they would with V18, but I don't even see where they have started the process. V18 was supposed to be release in 2018, so, who knows how long it'll be.

    I do have a call scheduled with product management this week though to discuss it. We'll see what happens. I have a feeling I'll be looking for another vendor, which is a shame since they have great technology with the ability to integrate XG with Intercept X

  • In reply to MichaelBolton:

    Agreed on it being a great product, but also agreed that there are just too many items that preclude it from being a good choice for all but small companies and non-profits.

    Here's another essential feature request Sophos "is considering": https://community.sophos.com/products/xg-firewall/f/web-protection/75113/how-do-i-re-categorized-specific-url-domains-and-ip-address-to-already-included-categories

    That was four years ago...

    I'm tempted to start a new topic to list the outstanding issues, but I'm afraid that it'll become unwieldy very quickly and in the end not much will change.

  • In reply to Arie:

    LOL yes that is one I have been waiting on. Also waiting on IKEV2 remote access. They "just" released IKEV2 site to site tunnels and route based VPN not long ago. Features a 50 Microtik have. They are very far behind and they know it.

    There are alot of very active forum members like    and  (sorry for anyone that I didn't tag, I know there are others I have talked) that have all voiced their concerns but it doesn't seem to matter. Sophos does what they can make the most money on. I would wouldn't waste your time opening a new topic of missing features and outstanding issues. Most of us here already know the list unfortunately.

    I am very curious as to how this conversation will go tomorrow. I will definitely post what happens.

    Side note, what do you guys run in your corporate network?

  • In reply to MichaelBolton:

     

    thanks for your post. I am not writing on the community anymore as I have some personal problems that take me all day so I have no time to stay connected!

    Regarding this feature, this is something that many users use and Fortigate have been implemented from many years now and it is still used. I guess that they are removing as it is not designed/implemented securely. As I said, I guess. Someone here, like me is a Sophos Partners, but we do not have a say to decide if a feature should be removed, added and so on.

    From my understanding, Sophos XG group is not open like the UTM group was! Indeed, every feature here for Sophos Devs and Sophos Product Manager (XG's line product) needs to be (SW developers call them) Use Case. Nothing against it. The main problem is who gives to them the use cases and how. In every communication and translation there is a misunderstanding. v18 is a nice stepforward but from my point of view is not the product that should be, based on the efforts Sophos spent since 2015. The product is still unstable, some features are implemented half and so on.

    My advice for Sophos is to consider properly who is the customer in the SDLC (SW Development Life Cycle) because if from the other side they have Parterns that do not understand what their customers want, what other vendors do, we have the product we see today. If the input is wrong + issue emerged during translation, you can imagine the result is totally different from what the market is expecting.

    I am preparing the SW Development exam (Master Degree in Computer Engineering) and I can now understand what developers and product manager do and how they think, but most of the output depends on customer input, feedbacks from the customers and how this feedbacks are re-iterated in the next sprint or timeboxed. I would suggest Sophos to create more feedback questionairre, involving new customers during their development, writing USE CASES and LISTEN LISTEN LISTEN. If I think the NAT translation implemented in the firewall rule.....OMG! I offered myself voluntary to be involved as a "customer" during their development but for the moment, no voice, no feeedback, nothing!

    I still have issue with Skype calls and empty the recycle bin in hotmail.com when I am connected to XG and from the logs you do not understand what is wrong, you can imagine how happy I am (I am using HTTPS scanning).

    This is my opinion!

    Regards