LetsEncrypt Functionality WAF

As this feature is not implemented yet, there are several question to be asked:

For which feature do you need the LE certificate?

Can you run a own server behind the Firewall, which could compensate the LE handling?

Is this the only blocker for your migration?

As this feature can be workaround with a third party LE handler (like certbot) and be automated via API, it could be easily integrated on your environment, if needed. 

Will the feature ever be implemented for the XG? I don't understand why Sophos has integrated this feature in the UTM but no longer tracking it on the XG.
Yes it should be possible to implement a separate server for the LE handling. However, I find this way a bit cumbersome if I am honest. Unfortunately, then again a server is available that must be maintained.

Why do you need this feature in the first place? I cannot comment on the future roadmap.

Why do you need this feature in the first place? I cannot comment on the future roadmap.

Why?  Because this greatly simplifies and centralizes setting up WAF auto-renewing certificates in front of hosted web services, without having to mess with certs and LetsEncrypt on the web services themselves.  Admins can easily leave the internal web services with extended self sign certificates, or even add tls to plain unencrypted services, some of which can be complicated to work with.  This is now extra important for the current 1yr max cert limitation for many mobile devices and browsers.  Even going out to buy a 3rd party public cert can mean updating on multiple servers every year, and we have better things to do with our time, hence further love for LetsEncrypt and UTMs integrated feature.

Yes various 3rd party scripts can be used, but then this has to done and managed on multiple servers, which in many cases can be quite frustrating and hard to troubleshoot.  Same issue with using a 3rd party script to update certs on xg via api.  This should be totally unnecessary in 2021 as has been pointed out time and time again. 

Hello RaveNet, I agree that is it strange that Sophos (or his representative) is asking to something so obvious?

Regards

alda

I am asking for this, because i want to understand, why you need/use a public signed certificate in the first place. So you use the WAF in both products. Thats the answer, i needed. 

Because even this is possible to cover with a script. 

Is WAF the only module, you are using LE? Assuming also the Webadmin/Userportal? 

For me the missing Letsencrypt integration is also one of two major migration blockers from SG to XG.

We are using the WAF very heavily, and all sites published via WAF have a LE-cetificate managed by the SG. Also the User Portal and Email are using LE-certificates.

On SG the Letsencrypt functionality is really simple to use and nearly "set and forget". I really like the feature and think it is a big advantage compared with other UTM appliances.

Of course with XG it is possible to find workarounds by using paid certificates or by scripting the LE process on another system. But this would be a big step back when migrating from SG.  When I migrate to a new firewall, I don't want to do steps back.

I use LE for WAF, webadmin/userportal on UTM wherever I can.  This is one of the major remaining roadblocks to moving customers to xg.

No, we aren't willing to run some script elsewhere to manage LetsEncrypt on xg.  One of my UTM alone has over a dozen LE certs on it for various WAF services, plus for webadmin.  And this is just my own home testing firewall.  I'm always spinning up some test web service for myself, or to demo to a client which sometimes I do using their own domain, so I don't want to install their certificate, if even available to me, on my firewall.