Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

Question

SOPHOS markets their XGS product to network administrators, who are professionals in their field. These are expensive devices that owned by the customer, and should be up to the customer how they wish to deploy\configure\use them. 
 SOPHOS, however, is intent on "Parenting" their network administrator customers. SOPHOS is removing another feature that some admins are using because I guess SOPHOS "knows better". We've been using the new XGS Firewalls for a few months and this is the second time I've seen this behavior. 
 While SOPHOS is busy removing functionality and features from their Firewalls to "Parent" their customers who don't need parenting, other functionality is direly needed, however that does not appear to be the focus. 
 Why don't we work on improving the MANY missing features that XGS needs, before we start making the product less flexible.

bobbylam · Accepted Answer

The goal is to help our customers limit their security risk & exposure on WAN, as we know malicious actors are constantly probing and attacking systems/networks (not just Sophos firewalls) - as you all can probably see from various incidents in the news. 
 We know most users only need to download their VPN configuration remotely. Once they do, they can VPN in to perform other operations (e.g. email quarantine) from the User Portal. Therefore we created the VPN Portal to separate & limit the operations available directly from WAN to a minimum, thus reducing the attack surface. This way our customers can keep their risk to a minimum. 
 We also know some customers enable their User Portal on WAN, without a need to (when it's not used). This again unnecessarily increase their risk & exposure. That's why we implemented an auto-disable if it's unused. If the User Portal is legitimately being used (even by 1 user), it will stay enabled. If the admin needs to re-enable the User Portal after it's been disabled, they can also do so. Again this is to help reduce our customers' risks, especially for those who 'sets & forgets' their firewalls.

Vivek Jagad · Answer

Hello Steve Klassen , Thank you for reaching out to the community, and thank you for the feedback, But for secure access, we recommend one of the following: 
 
 Add a local service ACL exception rule that only allows access from specific IP addresses and networks. 
 Use Sophos Central .

Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

Top Replies