Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Name field for Firewall Rules

    Being able to assign a firewall rule a name that can be tracked through the life of the rule is a great tool to help manage your firewall. If the name also shows up in the logs especially live log it is incredibly useful

    You don't need to try and track a rule by a number that keeps changing as rules are added or deleted, simply track the rule name.

    This feature is available in other UTM and firewall products. From someone who's used the feature for many year it is definitely something I miss in the UTM

    52 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • RED PCI Compliance Changes

      PCI Compliance will always fail on current UTMs using RED. This is due to being unable to disable SSL v3 on this as well as being unable to change the certificates used (currently weak, not using at least 2048 bit keys). Please fix!

      77 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        6 comments  ·  Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
      • Sophos UTM software installer with serial console enabled by default

        Please see this www.astaro.org thread:
        https://www.astaro.org/gateway-products/hardware-installation-up2date-licensing/51383-sophos-pcengines-apu-6.html#post286165

        With 8000 views, there is a huge VGA blind but SERIAL aware user community. We would love a serial console (ttyS0) enabled installer image.

        189 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          8 comments  ·  Usability/GUI  ·  Flag idea as inappropriate…  ·  Admin →
        • Chaining Web Parent proxies to a non web proxy server

          We should be able to setup a parent proxy details where a parent proxy hostname is actually not a web proxy but a gateway. Ie. I want to send all of web traffic through to a parent proxy located in my head office (out of their WAN link) and only send traffic to predefined set of domains via local gateway.

          39 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • add ZTE MF 823 to 3G supported device list

            Our ISP only supports ZTE MF 823 USB 3G modems and it is not on the supported device list. Telsra is the largest ISP in Australia nad we have many clients requirin 3G failover that are Telstra customers

            15 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              2 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • hotspot + logout

              Hi there,

              we need a possibility to logout from your voucher. So that I can use the rest contingent of voucher an other day. The other reason why we need it is that if you leave a public PC, the next one sits down to the PC and can use the rest ammount of the voucher.

              16 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                2 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Webserver Protection: Reverse Authentification with NTLM and Kerberos

                The Reverse Authentification feature (UTM 9.2) for WAF is a nice progres, but I'm hoping that it will soon be extended. There are many scenarios that require at least NTLM; Kerberos would be nice as well. Yes, we are coming from TMG :-)

                315 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  8 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Update the Web Filter to stop using SHA-1 as it breaks functionality for Chrome (which has depreciated it earlier this month)

                  Google has depreciated the use and consideration of SHA-1 encryption.
                  On Chrome, any site using SHA-1 encryption for HTTPS is considered unsecure.
                  This not only breaks functionality on most websites when the decrypt and scan option is enabled, it gives the appears of unsecure web browsing.

                  The Web Filter needs to be updated to use something better than just SHA-1 (like SHA-256) instead.

                  And this needs to be done IMMEDIATELy.

                  27 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Block IP's using Blacklist/Blocklist Service

                    Support the use of Blacklists/blocklists. Note that this feature was requested at link below and apparently Sophos thought that ATP would satisfy the need, however it does not provided the requested functionality, Therefore I am re-posting this as a new suggestion.

                    The old suggestion was marked as implemented by the ATP feature; however ATP is not what was wanted and generates too many false alerts. This is the prior feature request: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s

                    Plain and simple: We want support for blocklists. Such as those found here: https://www.iblocklist.com. I would also like to specify a blocklist per network. So for example…

                    14 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      3 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Check Endpoint security against IPS before rolling out rulesets

                      You should check if new rulesets for SNORT IPS are compatible with your own products BEFORE rolling them out. It happens every now and then, that the UTM IPS blocks Endpoint installations and/or updates.

                      9 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  UTM Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • 38 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          8 comments  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allowed Target Services For each Client

                          Hi

                          Please add the allowed target services option in policy tab for separate services to each users.

                          Thank you

                          62 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Attachment, link, and file emulation

                            Email is a huge vector for malware. Not all of it comes in as an attachment. Links in email often lead to NEW malware. NEW versions of malware are attached or embedded into Office documents. Files users download may have NEW undetected malware in them.

                            Palo Alto has Wildfire. FireEye has a similar service/appliance. Each service takes URLs, Office documents and unknown files and detonates them in a sandbox to determine if they are malware. Previously unseen downloaded files are uploaded to the same service. When NEW malware or malware links are discovered, an update is pushed to all subscribing…

                            10 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • IPSEC gateway to a fritzbox gateway using DYNDNS Names

                              IPSEC gateway to a fritzbox gateway using DYNDNS Names.
                              Its possible but you need a fix Ip Adress to the Fritzbox.
                              It will be great i can conect utm and fritzbox with DYNDNS Names

                              13 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                2 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                              • SPX encryption: Changing language of SPX Password portal

                                It would be nice if you could change the language of the SPX Password portal

                                31 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow more IP's on Home/Free UTM

                                  with all the connected devices its becoming very easy to hit the 50 IP limit on a home edition license. Throw in a few lab servers and you are almost guaranteed to.

                                  Any chance this can be increased? I see a few years ago this was done.

                                  42 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    5 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Ability to block any subdomain in the Blacklisted address patterns

                                    I would like to block *@*.example.com but it is impossible. Spammers use subdomain in order to bypass the filter.

                                    51 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      3 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Enable OTP for WAF on a per-Authentication Profile basis

                                      At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

                                      An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

                                      I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

                                      7 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Failover Tunnel RED between two UTMs

                                        Two UTMs connected by Tunnel RED, there is no failover function working well, because when two tunnels are connected between the UTMs, when the first one is down, the second takes the connections like expected, but when the first tunnel back, the tunnel is still with the second link and it is not backing to the first tunnel.

                                        I ask to vote in this function that is extremely important on cases with two link for failovers.

                                        11 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Second DHCP Server in DHCP relay

                                          It would be great if you could enter two DHCP server in the DHCP relay. We have two Windows 2012 R2 server with an active/standby Cluster. If the active node Fails, the secondary will take function. But we have to take care, to change the server in the relay on the UTM to let it still work.

                                          34 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            1 comment  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 114 115
                                          • Don't see your idea?

                                          Feedback and Knowledge Base