Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Web Protection: Possibility to select existing URL blacklist & whitelist objects

    In UTM 9.3 Sophos introduced the concept of URL tags, but the referenced website configuration "only" supports URLs, domains, ip addresses and CIDR ranges. So they do not fully replace blacklist/whitelist entries which especially allow regular expressions.

    Therefore I do not see http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/436457-web-protection-global-url-blacklist-whitelist-f as completed.

    Internally, black- and whitelists are obviously already global objects that are referenced in filter actions. And UTM already requires them to have a uniqe name even across filter actions. So we just need a possibility to choose the existing ones from a left hand side list like any other global object.

    6 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Quarantine Report for outgoing mail.

      Want to have quarantine report for outgoing mail, and also the user can release the outgoing mail, if the user find it right to send.
      Now the outgoing mail is going to quarantined spam, but user is not able to release and to see it in an report.

      6 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Notifications  ·  Flag idea as inappropriate…  ·  Admin →
      • Native Microsoft Azure Site-to-Site VPN

        Sophos UTM already natively supports automatic site-to-site VPN tunnels with BGP routing to AWS. I look forward to Sophos UTM supporting the same sort of site-to-site VPN tunnels with BGP to Microsoft Azure in public and private cloud deployments.

        I think the easiest way for this to work would be for Sophos UTM to look at the requirements of getting the VPN itself setup (which has been documented in the forums and works), then to make BGP work on top of that, then ensure that BGP and the VPN can work between multiple private cloud and public cloud sites, then…

        100 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          7 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
        • Wireless Protection: Restrict voucher's volume limit to internet use / WAN external interface

          Voucher's volume limit currently has effect on complete wireless traffic of a client, so that internal traffic to local NAS systems is considered as well. This way, real INTERNET traffic of a client cannot be limited in a useful way. Please either provide a possibility to select, or configure that way that only traffic from WIRELESS to WAN interface is considered when counting volume limits of vouchers. Thanks in advance.

          2 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • User-defined field for DynDNS

            My idea: DynDns field for user-defined Update-URL to use all DynDNS providers and Features like MX-Record and A-record.

            So it is not necessary, to put all DynDNS providers in the choise field.

            34 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
            • Additional fields in syslog messages - allow correlation with other logs

              For "reverseproxy" syslog messages, please include enough details to uniquely match the UTM's logs with other device logs (upstream firewalls, netflow, real webserver logs, etc).

              The current log doesn't include the local IP and port used by the UTM to make the request of the real web server and it doesn't record the source port used by the true client. This makes it hard to differentiate multiple requests coming from a single NAT IP address

              The resulting log would look like this:

              srcip='1.2.3.4' # existing
              srcport # add this to record the source port used by true client
              localip='9.8.7.6' #…

              2 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                1 comment  ·  Logging  ·  Flag idea as inappropriate…  ·  Admin →
              • dyndns support for all-inkl

                Hi,

                please can you add all-inkl as dyndns provider. Server for Updates at all-inkl is: dyndns.kasserver.com

                Thanks in advance,
                regards
                Herbert

                54 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  3 comments  ·  Flag idea as inappropriate…  ·  Admin →
                • S/MIME certificate batch import

                  It would be nice to have an option to import S/MIME certificates with a batch job and not one by one. We have many thousands of certificates and it is very time-consuming to import them one after another.

                  4 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • WAF Reverse Proxy with authentication: forward session cookie to backend http server

                    When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

                    Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

                    1 vote
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • SSO over WAF

                      Planning to replace TMG with other UTM product. Sophos is looking good - but some features is missing which are a must have for me:
                      Any change we will se
                      * SSO for reverse proxy
                      * Link translation like we know it in TMG
                      * AD user change password option through rev. auth

                      These are the only major issues preventing us from switching to Sophos

                      5 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • User-level access control policy on Endpoint Protection

                        I would like to be able to allow flash drive access to certain users on all computers but not all users on the computers in Endpoint Protection, and there is currently no AD sync for Endpoint Protection.

                        Reference Case # 4857461

                        6 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  UTM Endpoint Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow SG115 bridged to LAN network

                          Currently it's not possible to use the integrated AP on the SG 115 for a bridged to LAN SSID. Most customers have purchased this unit to use it in this way rather than as a separate zone AP. Could the UTM be updated so we can use it as bridged and separate zone.

                          6 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Web Protection: Search term alerts

                            Implement monitoring of inappropriate search terms as this was a feature in Sophos web appliance that had been removed in the UTM.

                            17 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              3 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • URL re-writing of links within all suspicious emails

                              A frequent tactic has been to send users socially engineered emails that are designed to entice the user to click a URL within the email. The URL web destination either automatically initiates a download, or tricks the user to enter sensitive or private information.

                              Also there are employees which actually do not fall in to protection of firewalls and other mechanism since they are on the road. Having this capability in UTM would increase capability a lot for some serious deployments. However, even SMB has these needs since their endpoints are often compromised for some other stuff to be done.…

                              4 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • add the ability to receive an email notification whenever a user connects via SSL VPN for Remote Access.

                                add the ability to receive an email notification whenever a user connects via SSL VPN for Remote Access. It would be nice to also have the option for a disconnect notification.

                                10 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Notifications  ·  Flag idea as inappropriate…  ·  Admin →
                                • Add IP PBX subscription

                                  I have a lot of customers that need to install an IP PBX inside their network,
                                  instead of installing a third party solution,
                                  Why not Sophos Sg series integrates with Asterisk, as it is open source

                                  10 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Removing the internal IP from OWA log in screen

                                    I've just set up WAF for my internal Exchange Server and Outlook Web Access. I noticed on the log in screen it says "The server %FQDN of mail server% is asking for your user name and password. the Server reports that it is from %internal IP%.

                                    This is such a huge security risk. Anyone attempting to access my mail server knows the internal IP structure. Please remove this from the log in screen!

                                    6 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Configurable http-port for WPAD configuration file download

                                      Web browsers automatic configuration feature uses wpad as hostname and http-port 80 (http://wpad/wpad.dat) to get the wpad.dat file.

                                      Unfortunately the UTM publish the wpad.dat file on the proxy-port (typically 8080) only.

                                      Please implement the possibility to setup the http-port for WPAD publishing.

                                      Thank you!

                                      11 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • WebAdmin: Related objects/configurations should be directly clickable

                                        When clicking the "Show where this object is in use and its last change" button, a list of related objects and configurations is shown.

                                        These related objects and configurations should be clickable to be taken directly to the specified object or configuration.

                                        12 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Usability/GUI  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Provide Admins a way to Disable 802.11b

                                          I've had several customers ask for the ability to disable 802.11b, etc. for wireless networks they have deployed. This is to increase performance (less radio "noise", etc.

                                          6 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base