[LetsEncrypt] How To in Sophos Firewall

Added Sophos Factory to this Thread. 

This Feature was one of the top ranked Requests in Ideas (rip).

On every corner in the Forums people ask for it.

The feature was promised the same time it was for UTM. UTM has it for years now - and XG it is still "on the Roadmap" with no sign of anybody even touching it.

Just another Feature, the "next gen" does not have - and likely will not get any time soon. 

Sophos' communication on development and feature implementation in xg is getting to a point where it is embarrassing at best - fraudulent at worst.

Because we want the firewall to do it. What don't you understand? Again, the most requested feature for XG. We don't care that Sophos "needs a change in the entire certificate management of SFOS ( core )" this should have been done long ago. Back to V16. I'm done with the back and forth about this. You see what the customers and end users want. We have asked for years. Stop making excuses and make it happen. Support HTTP and DNS and let the end user chose.

I do not understand, why the firewall should be part of the work of being a certificate store. But i am from the old school of having a separate service for such tasks. And i am a fan of automate such task for multiple instances at once. 

Again: I am not a Product Manager nor do i have influence on the roadmap or any other topics. I am here to help and give advice. 

If you want to prioritize this, feel free to reach out to your local Sales rep to get sorted out. 

I cannot comment on this any further. 

SFOS has a WAF, that's why. UTM supports it. Put your products on feature parity. It's simple. Cleary if UTM has it, someone at Sophos thought it was an important feature and can see the need for a firewall to handle the certificates of the websites that use it's WAF.

So you will need Webserver Protection Licenses for LE? That would be requirement to get this to work. And most customers, i am talking to, are not licensing WAF anymore. (Only if Exchange on Prem is present). 

Again: If you have a business case and a customer needing this feature, you can contact Sales to get the prioritization right. I am not seeing much LE requests from customer lately. 

I am more in implementation of ZTNA lately, and ZTNA need a wildcard certificate, which means, it needs DNS LE Challenge as well. 

I don't know if our provider would support that (SCHLUNDTECH), but that's not the point.

On the UTM it works since version 9.6 from 2018-11-22 with the http method. In XG/SFOS timeline that would be 17.5MR 9 or so.
We have seen 18, 18.5 and 19 until then and still the community feels a bit "ignored" when a so often requested feature is somewhere down in development.

I don't see the fact you state about the "much more secure" DNS way. UTM users can choose to use the "unsecure" HTTP method for almost 2 years now. UTM users can choose if or not, XG users have no choice and can somehow be frustrated.

Don't get me wrong. In our deployments there is mainly one certificate in use for the user portal and web admin. If the customer has a more complex WAF he is using a wildcard certificate. No deal.
But if I imagine some of our customers with their 10+ domains that all have some kinds of subdomains and different portals, they won't be using 10+ wildcard certificates, because of a firewall that is not able to do LE-integration. They would change their vendor because they could nearly buy a new firewall for the wildcard certificate costs.

Sophos should make clear if they want to target customers from small to enterprise size or maybe BIG enterprises only where "additional costs" for a firewall (like certificates, renewal processes) don't count.

Perfectly said. Thanks kerobra

As i know, you are in the German/DACH Market: Could you give me (via DM) a list of those customers facing this challenges of multiple domains? Because i am not seeing nor talking to them. 

If this is the reason, they change there vendors, this need to be clearly addressed to Sophos. I am not seeing any customer coming to us and telling us/me: "I cannot migrate to SFOS or cannot use SFOS because of lack of LE." 

If you have such customers, feel free to reach out to me to discuss this further. 

I don't have a list of customers, I only wanted to give you some arguments, how small businesses - at least here in germany - are thinking.

We as a Sophos Partner are already having issues selling them a newer firewall or renewals (because of the bill they have to pay), they don't spend money into IT security like big enterprises do. We are glad about any customer we can move to Sophos from another firewall vendor. But at the latest with the next renewal we get a "can we make something about the pricing?" as the first response. Having them to migrate to a new system that maybe has more - but on the other side LESS features than the previous firewall we have to explain them why they need an additional 15€/year ssl certificate for webadmin/userportal, no joke!

I just wanted to remind, that not all Sophos customers are the same and in my opinion Sophos is putting the focus only on big enterprises - at least since the takeover/invest of Thoma Bravo.

This is clear but i want to state out, if you tackle some customer like that, please inform Sophos in this process of migration and discussions. If nobody is reaching out to Sales about the issues you have, it cannot be addressed. 

Sophos should be aware of it, User Voice and all the comments with every release. If they are not aware they dont care about there customers.

Sophos should be aware of it, User Voice and all the comments with every release. If they are not aware they dont care about there customers.