Hi All,

In order  to improve security and reduce the potential for cross-site scripting (XSS) exploits, Sophos retired support for the HTTP/S bookmarks feature starting with XG Firewall v18. We are now announcing the retirement of this feature in XG Firewall v17.x via hotfix HF062020.1 which was released on June 20, 2020.

Please visit https://community.sophos.com/kb/en-us/133872 for more information.

Regards,

  • This feature needs to be re-enabled, we used this heavily to provide the needed limited access for IT management and developer/contractor access.

    this was an easy and efficient way to manage and provide that limited access route, if we wanted everyone to connect directly to our network via the VPN client then everyone would have credentials for it, the whole intent was to NOT grant that direct connection and to just give that person the access to the one single resource they need to do their work, whether its a web console or the one intranet site they needed to access.

    this response from sophos is improper and should never have happened, nevermind that the bookmarks feature should never have been up for retirement until a direct replacement had been developed that would provide that same or a comparable limited access method.

  • I do use it and Sophos has not come up with an alternative.  WAF cannot use 2FA. We had another year to figure out a solution according to the product lifecycle, as long as we did not update that particular firewall to V18.   this is unacceptable. You cannot pull a feature with no notice. We need it back now.

  • I would agree with MichaelBolton's comment.  I did not use this feature, but the guidance has been that it would be retired in an upcoming release  (ie v18).  Then we discover it was killed via a hotfix on everything whether it was an upcoming release or not.  It makes one wonder what else Sophos can or will kill with the "hotfix" and makes me want to disable mine.  Very poor on Sophos' part.  

  • How can Sophos remove a feature on a version that was not in the original announcement? On top of that, you give no warning at all? You just remove it with a hotfix the same day you post the announcement? You guys need to get it together.