Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 31 subscribers
  • Views 3265 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Everyone Please Read!!! Sophos Removed a Feature with No Notice

MichaelBolton

Hello everyone,

Most may not realize this because you don't use it, but Sophos has decided to remove a feature from our firewall with no notice at all.

They have removed the HTTP/HTTPS bookmark feature from clientless access on V17.X. This feature removal was previously announced and told it would be in an upcoming major release, I.E. V18. It would not affect V17.

Over the past weekend, Sophos decided to remove the feature from any device running V17.x. They did so with no notice at all. The hotfix was deployed the same day the notification was released. Here is the notification https://community.sophos.com/products/xg-firewall/b/blog/posts/sophos-xg-firewall-http-s-bookmarks-feature-retirement.

This feature may not matter to you, but I bring it up beacuse our firewall vendor decided to remove a feature from a production product with no notice whatsoever. I tagged  and  in the comments but did not get a response.

If Sophos will remove that feature with no notice, what will they do in the future? What an unbelievable move from a firewall vendor. We use this feature and have no alternative right now. WAF does not suport 2FA and we cannot install a VPN client as we don't own these machines.

Let's all ask for answers! How can Sophos do this with no warning?

Mike



This thread was automatically locked due to age.
  • 0

    There was a notice on XG dashboard for at least half a year that HTTPS Bookmarks will be retired...

  • 0

    100% agree.

    Even if this is a rarely used feature and the technology behind was never meant for large scale deployment, it is a nogo to remove features via hotfix on existing devices.

    it is okay if features are removed in future releases, but it is up to the customer to decide when to upgrade.

     

    from a legal standpoint, the customer has purchased a product for which they have paid money for a feature set at that time. 

    in my opinion, sophos should not be allowed to remove a feature that the customer has paid for without the customer's consent.

    of course, the customer can disable automatic hotfix, but that would heavily reduce the security, in case of real "hotfix" situations.

  • 0 in reply to Samuel Heinrich

     that notice stated it would be removed in the next major version, which would have been V18, not V17.x. The notice for V17 was posted on June 20th and the hotfix was deployed the same day. That did not give any customer a chance to migrate off of that feature which is unacceptable. The feature should have remained on any firewall running V17.x and the customer would have known if they upgrade to V18, they would lose the feature.

     

     exactly. I knew it would not be available when the units were upgraded to V18, but to remove something with no notice is ridiculous. I did not even have time to disable automatic hotfixes because they pushed it as soon as the notice was posted.

  • 0 in reply to Samuel Heinrich

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/441667

    Sophos Product Management have also decided to take it upon themselves to exercise their perspective and choices without consent or prior notification either.

    Emile

  • 0 in reply to Emile Belcourt

     I ran into that issue as well, unfortunately. Still no one from Sophos will comment either. Nothing surprises me anymore with them. We'll me moving away from them when the licensing expires. I've had enough.

  • 0 in reply to FloSupport

     this is not an answer. This is just stating a vulnerability was found. FIX the vulnerability. Don't take a feature away from a licensed and supported product because product management and development don't want to invest the time into fixing it. V17.5 a fully supported version according to Sophos' support policy. You cannot remove a feature with no notice because it was the easy thing to do. I need it back or I need WAF to support 2FA, plain and simple. My issue will not be resolved until either of those happen, and I will continue to open support cases until it is resolved.

  • 0 in reply to MichaelBolton

    Adding my two cents here.

    If v17 is still officially supported then removing a feature because it has a vulnerability is a very poor choice indeed.

    I'm a Tier-3 network engineer for a Fortune-X company and I would be exceedingly concerned if one of our vendors did something like that. Since I'm a Sophos-home user it would be mostly a nuisance, but in the corporate world we're in a different league.

  • 0 in reply to Arie

     thanks for for post. We do use Sophos devices in a corporate environment, unfortunately. These devices have current support contracts as well. It is a red flag for a vendor do this and one that will push us away from them. This opens the door for any feature to be removed if a vulnerability is discovered. I just can't understand how they think that is ok to do.

  • 0 in reply to MichaelBolton

     Thanks for confirming that.

    I'm periodically asked about Sophos by other teams at the aforementioned Fortune-X company and so far I have not felt comfortable recommending the Sophos line-up. Too many issues like this, too many quirks, too many outstanding (very old) feature requests, and too little emphasis on meeting security requirements like PCI-DSS. And the update cadence...

    Problems with the Sales Dept as well - try asking how to run a single license for InterceptX on a client machine with multiple users in an EDU-setting. According to the License Agreement this is an option, but Sales can't seem to figure this out.

    For small companies, non-profits, and schools Sophos may be a viable option. But I'm not ready to stake my reputation on it for larger companies yet.