We’ve been asking for this feature for YEARS now. It’s just unacceptable that Sophos hasn’t implemented it on XG. I’ve been on XG since V15 as others have, and we’re tired of asking for features and not getting a delivery. This request really isn’t that hard. Just make it happen so we can stop having to use these work around. It’s ridiculous.

Thanks for your Feedback. 

Will this be in V19?

No. 

Not for the next upcoming V19.0 Release at least. 

As someone who's on UTM at work and is considering the move to XG this is one of those things that makes me stop considering XG entirely.

I know it's small, I know XG has an API I can use to automate stuff... but at the same time if the approach is that I need to write my own stuff  and make my network design more complicated in the process... then why would I want that?

It depends on the future of your implementation and investment into the security market. UTM is a standalone product while SFOS integrates into Central and other products from Sophos. See the future of IT security and the implementations, Sophos is going to do. (See Sophos Switches, ZTNA etc.). Most of those features will rely havely on a Sophos SFOS Appliance. 

If LetsEncrypt is your only blocker, this could be easily replaced by purchasing a wildcard certificate for your domain. In SFOS you can simply generate a CSR, get this signed and you do not have to do anything for the next ~3 years. Personally i do not see LE as that blocker, as certificates are not that expensive in the first place. 

We just need a powerful-enough firewall for our office. We don't have a huge datacentre or anything (a few internet facing services and small-scale internal AD-based Windows infrastructure), and the one and only reason I was even considering XG in the first place is because it's supposed to be faster than UTM. OK, that and it's marketed as the "next" cool thing. ;) Central is something we don't need at all (oh it sounds powerful... but seems completely wasted in our scenario).

To make a switch to XG it needs to be:
a) faster than UTM (it probably is?)
b) I can't spend too much time configuring it to get our infrastructure to be in the same state as it currently is

Lack of LE fails requirement b). Sure, I can get a wildcard certificate (not free, needs manual renewal every n-years). Or... I can do nothing and stay on UTM, at least until our network grows to the point where our small UTM hardware is no longer adequate. At which point we can try upgrading to XG or... get a more potent UTM, if XG still fails requirement b).

To be absolutely truthful - the approach to designing rules in XG feels so... reversed from UTM that I'm having a hard time wrapping my head around it. (This is why I have an evaluation version to toy around with on a VM.) But that already makes me weary of migrating and then there're the little things like missing LE...

I cannot challenge more the issue only rely on a firewall for security. It is not and should not be your only line of defensive. I am talking about security and how to prevent spreading and XDR in his complete vision. 

I am not here to get you to SFOS. That is not the purpos of this thread i can only tell you, there are attacks out there, which needs more then a simple firewall to prevent. Feel free to watch this summit: https://community.sophos.com/b/community-blog/posts/register-now-sophos-cybersecurity-summit-2021-december-1st or any cybersecurity Ressource out there. 

I need to make sure I understood you correctly.

Did you just state that Sophos UTM does NOT offer sufficient security and is, in fact, a "simple firewall"?

Its about a IT security concept. A firewall is never be sufficient to totally protect a customer. Look out for the current IT threat landscape: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf 

Its about a IT security concept. A firewall is never be sufficient to totally protect a customer. Look out for the current IT threat landscape: https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf 

The question was not, whether a firewall is sufficient, but WHY XG still misses vauluable UTM-Features (no LE-Support in XG after years) and why XG is so confusing for UTM-Admins.

Thanks @LuCar Toni for his efforts to make a firewall for which Sophos charges a lot a bit better.

Shame on Sophos for dropping UMT and replacing it with amateur style XG.

@Mateusz Bender:
Be aware, XG Executive Reports are far from being as informative as UTM short reports.
Lots of pages, but to find out some background, about things you need to dive deep in log filtering.

For Reports, check Central Reporting. This tool is far ahead of UTM. You can build reports at your own need and send them to everybody as you like. 

I'd just like to point out... I've recently purchased an ASUS RT-AX55 for home use. It has LE support built in OOB. Again, I feel the need to stress this - a fairly cheap home-router has built-in LE support, while Sophos, offering a fairly expensive enterprise solution is unable or unwilling to add LE support to their FW...

The prioritization of the feature is not as high as other features, which are currently under deployment. 

LuCar Toni I'm not trying to start an argument when I say this, because that is what seems to happen with you anytime someone points out a feature that Sophos doesn't have. This is a community forum to help everyone and the product evolve.

That being said, you can't be serious with that response. This has been the most requested feature since 2016. It's clear your customers want it. Sophos just needs to make it happen. I agree that ZTNA is awesome and is the future, but don't leave the existing customers to suffer until they adapt it. LetsEncrypt is really not hard to implement. Just make it happen and stop making excuses. 1244 votes for it! Just do it already. Should have been in V17 IMHO.

ideas.sophos.com/.../13368852-let-s-encrypt-integration

I am not a Product Manager, i am simply a User of the product like you, but i am using LE on a SFOS Appliance since 2018. It was pretty easy to implement it via Script and this took the need from the product to support it. 

BTW: I migrated most resources to ZTNA, which left only the user Portal and the Webadmin with LE. Webadmin only for internal access. 

That's unbelievable.
You are telling us, sophos is completly ignoring, what their customers are requesting for at least 5 years.
Sorry, but this disqualifies as a reliable supplier for us, and I can't recommend them and their product's any more.
If it is as easy to implement as you say, why does sophos risk to loose customers instead of just implementing this feature ?
Maybe sophos should think about, who is paying the bills and therefor their sallaries.

Thanks for your Feedback. 

Not Implementing Let's Encrypt and removing WAF from the "all inclusive" bundle while offering a product like ZTNA clearly shows the strategy of sophos to reduce the Sophos firewall back to a basic firewall with "sync sec" features on a long-term.

if you want to use LE with a sophos product choose utm, since it is not marked as EoL you'll have fun with it for at least three to six years.