Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 46 subscribers
  • Views 4353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is still missing on v18

lferrara

To be honest I like the v18 version but, of course, certain implementation need a better improvement. I posted this thread only for reporting and logging:

https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/118663/reporting-and-logging-dear-xg-we-need-a-big-improvement-in-these-2-fields

and I did not complete the list as it is already long.

For the rest of the features, where I have feedbacks from my customers, the list of things to implement and improve are:

  1. Logging and reporting as described in the above thread
  2. Merge network objects. The same subnet/IP list and so on is created multiple times now. Please leave the hosts as the only source/Destination and make sure it is usable in all sections. For example, DHCP, DNAT wizard and so on
  3. Merge DHCP and DNS entries. It is a mess to understand which computer name with which IP and so on.
  4. Delete objects like UTM. Inform where the object is used before the deletion is performed
  5. Perform backup and restore via CLI. In some few cases, the box does not start completely or the UI is down. Allows admins to perform backup/restore operations via console
  6. Improve the DNAT wizard. I already had some feedbacks from the presentation I did to few customers about the new DNAT wizard. From 8 of 10 people, said: Why they removed the nice Create Business Application Rule? It was so nice and straightforward compared to other vendors and compared to the raw Server DNAT wizard? So I would prefer and suggest to have the old BAR. For the DNAT wizard, Sophos you need to include:
    1. Destination IP should be a selectable object and not an ip
    2. Possibility to choose an IPS filter
    3. Possibility to decide if the rule is enabled/disabled
    4. Enable logging by defautl
  7. Have unencrypted backup option. It is a bad options, but some small customers they cannot remember even their own password. Ability to decide if the backup is encrypted or not.
  8. Change firmware version from console. If the box does not start for some reason but the console starts, possibility to choose (ok restart the box with this firmware version). This can be done now but the process is not straightforward
  9. Change KBs to Kb/s. QoS in the industry is based on Kb/s.
  10. Flow monitor Graph where we can show to customers they bandwidth consumption and block or shape application directly from there like UTM. When I showed this during POC, in the UTM era, customers where already impressed and prompt to buy it!
  11. Customize the control center: customers are different. Every customer wants to customize their dashboard. One of the top request is the current bandwidth utilization in the Control Center. The gadget is missing!
  12. UI resolution on big screen! Change the UI framework!

Hope other users can add their top features list.

As always, I am here to improve the product!

Regards



This thread was automatically locked due to age.
  • 0

    Hi Luk,

    I too like the new and improved v18. Have been working hard over the last days to rebuild all the rules, exceptions etc.
    The one feature I would really like to see in the near future is Let's Encrypt support.

    Grt, Peter-Paul

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0

    Hi  

    Thank you for the post.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0

    Hi Luk, i want to comment on some of those Points with my personal opinion. (As always, please consider this as my personal opinion, not "Sophos is saying this!").

     

     

    5. I would recommend to consider another backup method, relying on the CLI is like saving Backup on the Disk(Locally) and hoping, the Disk is not broken. 

    7. Instead of using unencrypted Backups, consider using Central Management. It will resolve Point 5 and Point 7. Central stores the Backup encrypted, but you have to insert the password in Case you actually need the Backup! By downloading the Backup, central asks for a Encryption password. You do not have to memory the password. 

    8. You could start the SF_Loader by pressing Space while booting. There you could switch the Firmware. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks .

    I know all the points but:

    5. I saw few cases where the UI is not working at all and the XG is booting, the console and the advanced shell is available. So a command can help. If the disk is broken, we have backups via email....but consider that the backup is scheduled once a week, you potentially can loose 6 days of configuration. Not all customers want to go for Cloud. Do not neglect this aspect!

    7. Not all customers want to go for Cloud. Do not neglect this aspect!

    8. I know this option but I am suggesting to have another option available.

    Thanks

  • 0 in reply to lferrara

    What else is missing

    1/. IPv6 parity with IP4

    2/.  DHCP

    a reservations within  scope

    b exclusions within  scope

    c being able to assign IP4 and IPv6 addresses to the same device

    d being able to have a device in multiple scopes that point at a specific interface

    3/. APs display the current address for the device on the SSID not all used addresses.

    4/. Not have to use RA in IPv6 to assign an address.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hello luk,

    it seems that after nearly 5 years of SFOS development, we could be very close to UMT v9! In that case, of course I fully agree!

    Regards

    alda

  • 0

    Is IKEv2 Remote Access an option now with v18?  Haven't had a change to test v18 just yet.

  • 0 in reply to Ryan Arnold

    Hi Ryan, IKEv2 has not been implemented yet for remote access VPN.

    I add even the feature to change port. Now if you are running a network on port A 1 Gb network and the customer upgrades the switch where XG is connected to 10 Gb, to change the port without losing the configuration is a nightmare. You need to use sql commands to change references inside psql.

  • 0 in reply to lferrara

    Hello luk,

    yes, changing the configuration that takes a maximum of 5 minutes on UTM v9 can take a whole day with XG v17/18 !!! I can confirm from my very recent experience.

    Regards

    alda

  • 0 in reply to alda

    Thanks Alda. Any good example?

    With XG Customers, I am struggling with troubleshooting and report.

    I am teaching: TCPDUMP, CONNTRACK, TAIL -F, CAT and GREP. Customers which are not Linux expert, I spent more time for them to troubleshooting XG than configuring.

    For reporting, it is a nightmare. I.E: "Can I have a report for all traffic generated from this VLAN to this VLAN?" Take note multiple rules exist from the same source/destination network.

    I reported the most issue with reporting in another thread.

Unfiltered HTML