Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

SOPHOS markets their XGS product to network administrators, who are professionals in their field. These are expensive devices that owned by the customer, and should be up to the customer how they wish to deploy\configure\use them. 

SOPHOS, however, is intent on "Parenting" their network administrator customers. SOPHOS is removing another feature that some admins are using because I guess SOPHOS "knows better". We've been using the new XGS Firewalls for a few months and this is the second time I've seen this behavior.

While SOPHOS is busy removing functionality and features from their Firewalls to "Parent" their customers who don't need parenting, other functionality is direly needed, however that does not appear to be the focus.

Why don't we work on improving the MANY missing features that XGS needs, before we start making the product less flexible.

   



This thread was automatically locked due to age.
Parents
  • The Focus is Security. This is a low hanging fruit and increase the security best practice for a lot of customers. 

    Exposing WAN HTTPS/SSH for no reason is an real security concern. 

    You can workaround this by using the CLI switch: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/Set/index.html#advanced-firewall

    What are the use cases for using WAN HTTPS ANY? 

    Or lets rephrase it: Why would you leave your door open if there is nobody using it? The Mechanism checks for successful logins, if there are some, it will be untouched. 

    If you are not using the door for 60Days, it will be disabled per default, increasing the security of a product by a lot. So if you want to use the HTTPS ANY policy, nothing will change for you.

    If you get this alert by the firewall, it means, nobody used it for 30 days - Maybe it is time to "shut it down". 

    See Shodan, how many firewalls are available on Port4444 for "no reason". 
    You can put your reason into the reason to enable WAN HTTPS - But essentially there are better ways to build this access (VPN, Central, ZTNA, ACL). 

    __________________________________________________________________________________________________________________

  • I am with you but in my eyes another long wanted feature should have been implemented side by side with it to make it much easier for all of us: FQDN for ACL...

  • That is currently on the roadmap to be implemented in the future to address this scenario. 

    __________________________________________________________________________________________________________________

  • I know but I think it should have been in a higher prio to release it together... But we will see what 20 will bring us...

Reply Children
No Data