SFOS QoL and feature improvement suggestions

Hi everyone,

I'm currently employed by a platinum partner MSP and part of a small team with extensive experience deploying and maintaining several hundred SFOS-based firewalls (and a few leftover UTMs). Over the years, we've witnessed the product's growth, but we've also encountered recurring issues that could be addressed to improve the product experience. The goal of this post is to offer constructive feedback to enhance the product's usability and efficiency. This is not a critique of the product or its developers, but rather an attempt to provide valuable insights based on our daily management and experiences with versions up to 20.0.0.

User Interface Scaling for Widescreen

While recent updates have made the UI more widescreen-friendly, there's still room for improvement in utilizing additional screen space effectively. For instance, the "Edit firewall rule" dialog box does not scale well. Fields like "Source networks and devices" require users to hover over objects to view details, leading to inconvenient "hover over the object and then hover over the object name within the popup" actions. Enhancements could include:

• Better dynamically scaling of object boxes and fields according to the browser viewport.
• Increasing the size of tooltips to eliminate double-hovering.
• Bonus: Adding 1-click copy functionality for values within the popup.

Example Screenshots:

XML API

The existing XML API is somewhat cumbersome (yes, we are aware of the SDK) to work with and does not align with the JSON-based APIs available for Sophos Central products. Transitioning to a more standardized JSON API would be beneficial.

Renaming Objects

Renaming objects presents several challenges:

• Site-to-Site VPN IPSec Connections: Cannot be renamed directly and must be cloned/deleted and recreated, leading to the loss of tunnel interfaces and more configuration down the line
• SD-WAN Profiles and Routes: Similarly, renaming these requires recreation and can cause related objects to be deleted without warning.
• PPPoE Interface: Renaming causes a reconnection.

There is probably more places of this issue being present.

These issues can be particularly frustrating in complex configurations. A more intuitive renaming process would greatly improve user experience.

Special Characters

The handling of special characters in names is inconsistent. For example, whitespaces and dashes are allowed in some places but not in others. Standardizing the use of special characters across the platform would eliminate confusion and simplify adherence to naming conventions.

Printable Configuration

The printable configuration feature from the Sophos UTM days was invaluable for documentation. Currently, the XML export is available, but it is not user-friendly and not a valuable option for customer handouts. A more accessible format for configuration export would save time and greatly improve documentation processes.

Audit Logging

The current audit logging lacks a lot of detail. More comprehensive logs, including before/after configuration diffs, are essential for effective auditing and are frequently requested by customers.

Configuration Snapshots/Diffs

Managing, storing, and diffing configuration snapshots would be extremely useful. Currently, this can only be done externally via XML exports or restoring an old backup, which is anything but ideal.

Firewall Logging to File/Export

While in-depth firewall logging is available, exporting large datasets to CSV or other formats is difficult. The log viewer's lazy loading behavior is cumbersome for high-traffic environments. An option to export logs directly would be beneficial, especially for those without a syslog server. The option of writing the firewall log to something like /log/packetfilter.log would go a long way (with carefully tuned log rotation).

This also applies to using tools like "grep" on firewall logs, which can be invaluable in complex troubleshooting scenarios where the log viewer is not powerful enough for advanced queries.

Configurable Log Rotation

Customizable log rotation settings based on time and size are needed, particularly when troubleshooting. This would prevent logs from being overwritten before they can be backed up.

Packet Capture in WebUI

Currently, changing packet capture filters requires disabling and re-enabling the capture. It would be more convenient if the filter changes took effect immediately. Additionally, the ability to download the current capture as a pcap file would be a useful feature.

Central Managed Settings/Objects

A clear indicator showing which settings or objects are managed by Sophos Central would be helpful. While using a prefix like "C-" can serve as a workaround, a more integrated solution would improve clarity.

Login Captcha - ACL Exception

While the captcha for logins can be disabled via the Device Console, having the option to whitelist specific IPs under the "Local service ACL exception rule" would provide better convenience without the security implications of a global / zone disable.

No VXLAN Support

The lack of VXLAN support limits the firewall's applicability in certain projects. Adding this feature would make the firewall more versatile and valuable option.

Simultaneous Display of IPv4 and IPv6 Firewall Rules

Managing dual-stack deployments is challenging due to the default separation of IPv4 and IPv6 rules. A unified view with visible indicators for rule types would streamline administration.

DHCP Relay Over Tunnel Interfaces

Currently unsupported, this feature would be beneficial for certain network configurations.

Site-to-Site IPSec Tunnels via Non-WAN Zone Interfaces

Support for establishing Site-to-Site IPSec tunnels via non-WAN zone interfaces would be useful for specific MPLS setups.

If you have any questions or would like more detailed information on specific points, please do not hesitate to ask.

Thank you for your time and consideration of these suggestions.