Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 31 subscribers
  • Views 3267 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Everyone Please Read!!! Sophos Removed a Feature with No Notice

MichaelBolton

Hello everyone,

Most may not realize this because you don't use it, but Sophos has decided to remove a feature from our firewall with no notice at all.

They have removed the HTTP/HTTPS bookmark feature from clientless access on V17.X. This feature removal was previously announced and told it would be in an upcoming major release, I.E. V18. It would not affect V17.

Over the past weekend, Sophos decided to remove the feature from any device running V17.x. They did so with no notice at all. The hotfix was deployed the same day the notification was released. Here is the notification https://community.sophos.com/products/xg-firewall/b/blog/posts/sophos-xg-firewall-http-s-bookmarks-feature-retirement.

This feature may not matter to you, but I bring it up beacuse our firewall vendor decided to remove a feature from a production product with no notice whatsoever. I tagged  and  in the comments but did not get a response.

If Sophos will remove that feature with no notice, what will they do in the future? What an unbelievable move from a firewall vendor. We use this feature and have no alternative right now. WAF does not suport 2FA and we cannot install a VPN client as we don't own these machines.

Let's all ask for answers! How can Sophos do this with no warning?

Mike



This thread was automatically locked due to age.
Parents
  • 0 in reply to FloSupport

     this is not an answer. This is just stating a vulnerability was found. FIX the vulnerability. Don't take a feature away from a licensed and supported product because product management and development don't want to invest the time into fixing it. V17.5 a fully supported version according to Sophos' support policy. You cannot remove a feature with no notice because it was the easy thing to do. I need it back or I need WAF to support 2FA, plain and simple. My issue will not be resolved until either of those happen, and I will continue to open support cases until it is resolved.

  • 0 in reply to MichaelBolton

    Adding my two cents here.

    If v17 is still officially supported then removing a feature because it has a vulnerability is a very poor choice indeed.

    I'm a Tier-3 network engineer for a Fortune-X company and I would be exceedingly concerned if one of our vendors did something like that. Since I'm a Sophos-home user it would be mostly a nuisance, but in the corporate world we're in a different league.

  • 0 in reply to Arie

     thanks for for post. We do use Sophos devices in a corporate environment, unfortunately. These devices have current support contracts as well. It is a red flag for a vendor do this and one that will push us away from them. This opens the door for any feature to be removed if a vulnerability is discovered. I just can't understand how they think that is ok to do.

  • 0 in reply to MichaelBolton

     Thanks for confirming that.

    I'm periodically asked about Sophos by other teams at the aforementioned Fortune-X company and so far I have not felt comfortable recommending the Sophos line-up. Too many issues like this, too many quirks, too many outstanding (very old) feature requests, and too little emphasis on meeting security requirements like PCI-DSS. And the update cadence...

    Problems with the Sales Dept as well - try asking how to run a single license for InterceptX on a client machine with multiple users in an EDU-setting. According to the License Agreement this is an option, but Sales can't seem to figure this out.

    For small companies, non-profits, and schools Sophos may be a viable option. But I'm not ready to stake my reputation on it for larger companies yet.

  • 0 in reply to Arie

     I have had too many issues with them as well. I would not recommend them for anything over a small business.

    I am still waiting for them to get the XG platform FIPS 140-2 certified. I was told they would with V18, but I don't even see where they have started the process. V18 was supposed to be release in 2018, so, who knows how long it'll be.

    I do have a call scheduled with product management this week though to discuss it. We'll see what happens. I have a feeling I'll be looking for another vendor, which is a shame since they have great technology with the ability to integrate XG with Intercept X

Reply
  • 0 in reply to Arie

     I have had too many issues with them as well. I would not recommend them for anything over a small business.

    I am still waiting for them to get the XG platform FIPS 140-2 certified. I was told they would with V18, but I don't even see where they have started the process. V18 was supposed to be release in 2018, so, who knows how long it'll be.

    I do have a call scheduled with product management this week though to discuss it. We'll see what happens. I have a feeling I'll be looking for another vendor, which is a shame since they have great technology with the ability to integrate XG with Intercept X

Children
  • 0 in reply to MichaelBolton

    Agreed on it being a great product, but also agreed that there are just too many items that preclude it from being a good choice for all but small companies and non-profits.

    Here's another essential feature request Sophos "is considering": https://community.sophos.com/products/xg-firewall/f/web-protection/75113/how-do-i-re-categorized-specific-url-domains-and-ip-address-to-already-included-categories

    That was four years ago...

    I'm tempted to start a new topic to list the outstanding issues, but I'm afraid that it'll become unwieldy very quickly and in the end not much will change.

  • 0 in reply to Arie

    LOL yes that is one I have been waiting on. Also waiting on IKEV2 remote access. They "just" released IKEV2 site to site tunnels and route based VPN not long ago. Features a 50 Microtik have. They are very far behind and they know it.

    There are alot of very active forum members like    and  (sorry for anyone that I didn't tag, I know there are others I have talked) that have all voiced their concerns but it doesn't seem to matter. Sophos does what they can make the most money on. I would wouldn't waste your time opening a new topic of missing features and outstanding issues. Most of us here already know the list unfortunately.

    I am very curious as to how this conversation will go tomorrow. I will definitely post what happens.

    Side note, what do you guys run in your corporate network?

  • 0 in reply to MichaelBolton

     

    thanks for your post. I am not writing on the community anymore as I have some personal problems that take me all day so I have no time to stay connected!

    Regarding this feature, this is something that many users use and Fortigate have been implemented from many years now and it is still used. I guess that they are removing as it is not designed/implemented securely. As I said, I guess. Someone here, like me is a Sophos Partners, but we do not have a say to decide if a feature should be removed, added and so on.

    From my understanding, Sophos XG group is not open like the UTM group was! Indeed, every feature here for Sophos Devs and Sophos Product Manager (XG's line product) needs to be (SW developers call them) Use Case. Nothing against it. The main problem is who gives to them the use cases and how. In every communication and translation there is a misunderstanding. v18 is a nice stepforward but from my point of view is not the product that should be, based on the efforts Sophos spent since 2015. The product is still unstable, some features are implemented half and so on.

    My advice for Sophos is to consider properly who is the customer in the SDLC (SW Development Life Cycle) because if from the other side they have Parterns that do not understand what their customers want, what other vendors do, we have the product we see today. If the input is wrong + issue emerged during translation, you can imagine the result is totally different from what the market is expecting.

    I am preparing the SW Development exam (Master Degree in Computer Engineering) and I can now understand what developers and product manager do and how they think, but most of the output depends on customer input, feedbacks from the customers and how this feedbacks are re-iterated in the next sprint or timeboxed. I would suggest Sophos to create more feedback questionairre, involving new customers during their development, writing USE CASES and LISTEN LISTEN LISTEN. If I think the NAT translation implemented in the firewall rule.....OMG! I offered myself voluntary to be involved as a "customer" during their development but for the moment, no voice, no feeedback, nothing!

    I still have issue with Skype calls and empty the recycle bin in hotmail.com when I am connected to XG and from the logs you do not understand what is wrong, you can imagine how happy I am (I am using HTTPS scanning).

    This is my opinion!

    Regards