Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted Parenting - Why does SOPHOS insist on removing features "for our own good"?

SOPHOS markets their XGS product to network administrators, who are professionals in their field. These are expensive devices that owned by the customer, and should be up to the customer how they wish to deploy\configure\use them. 

SOPHOS, however, is intent on "Parenting" their network administrator customers. SOPHOS is removing another feature that some admins are using because I guess SOPHOS "knows better". We've been using the new XGS Firewalls for a few months and this is the second time I've seen this behavior.

While SOPHOS is busy removing functionality and features from their Firewalls to "Parent" their customers who don't need parenting, other functionality is direly needed, however that does not appear to be the focus.

Why don't we work on improving the MANY missing features that XGS needs, before we start making the product less flexible.

   



This thread was automatically locked due to age.
  • That is currently on the roadmap to be implemented in the future to address this scenario. 

    __________________________________________________________________________________________________________________

  • I was wondering when Toni would show up... he must have been on holidays.

    Today, disable WAN HTTPS button... but you can use this workaround.

    Tomorrow, SOPHOS will disable the workaround. 

    We don't need to be parented. 

  • I know but I think it should have been in a higher prio to release it together... But we will see what 20 will bring us...

  • Again none of this is the point, I'll say it one more time. This is not a decision regardless of security or any other matter that Sophos should be making. This is like buying a car from Toyota and then having Toyota say we are locking your doors remotely whether you want them locked or not. Its not their decision to make and it probably oversteps a boundary that means more of this non sense is coming in the future.


    You realize we have hundreds of firewalls sold that we have no access to. this means we have lots of burden on those units for businesses that may not be on the forum every day. it is their decision to make if they want the WAN to be accessible or not. Many of them feel fine as long as MFA is enabled its enough. i may not think that is the best way but its not my decision and I am not dumb enough to think it is.

  • Then set the parameter above and disable this option. WAN HTTPS will be active. 

    So essentially my point is: Partners liked this approach, as they can point towards Sophos to be the voice to "close this gate". SFOS will close it automatically, if not needed and Partners can discuss this with there customers to find alternatives like listed above to increase the hardening of there edge security product. 

    If you want a car analogy: Most cars nowadays auto lock themself after a time per default, as they assume, you are not there anymore and maybe forgot to lock the car. Why does the car vendor build that? 

    __________________________________________________________________________________________________________________

  • Your product is not designed for 16 year old rookie drivers with no experience, like a car is. 

    Your product is designed for businesses and professionals who are experienced. We don't need training wheels and parenting. We need a flexible device that allows us to do what we need, even if that is risky or unrecommended.

    I wonder if Klaus Schwab and the WEF are involved in the direction of SOPHOS.

  • Its impossible to get you to understand the point so I'll stop. I don't drive a Fiat. 

    I'll just calmly wait until everything is ingested in to Sophos Central and wait for the announcement that its now a pay for product and watch the meltdown.

    Sophos needs to worry about the 1000 things that are broken and leave the configuration to the professionals. You guys dont even have ACL lists that support DNS names, yet closing everything down. Take away the SSL VPN client when the Sophos Connect client is trash and on and on. Worry about the things that actually matter and then there wont be posts like this.

    I hope you dont get locked out of you car, its very annoying.

  • I don't remember Sophos saying anything about removing the SSL VPN functionality. Is this true....? I heard about ZTNA, whatever that is, but don't remove SSL VPN. This push to the cloud is getting ridiculous. 

    Even Christian Lempa, who is a highly vocal engineer for Sophos, does a video on youtube about why the cloud (ex. Cloudflared tunnels) are not even a good idea compared to on premise VPN.

  • There's no plan to remove SSL VPN. 

  • I believe he was referring to the SSL VPN client that was replaced with the SOPHOS Connect VPN client.