Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Web Protection: Youtube and blocking specific categories

    Coming from another vendor one of the features I like/had was that I could block categories within YouTube. We are a School District that needs to access YouTube (YouTube for Education has limited content). It would be nice to setup a policy or rule to be able to block these YouTube Categories.

    Currently available categories are:
    • Film
    • Autos
    • Music
    • Animals
    • Sports
    • Shortmov
    • Travel
    • Games
    • Videoblog
    • People
    • Comedy
    • Entertainment
    • News
    • Howto
    • Education
    • Tech
    • Nonprofit
    • Movies
    • Movies_anime_animation
    • Movies_action_adventure
    • Movies_classics
    • Movies_comedy …

    190 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Backup Remote Gateway for IPSEC VPN Tunnel

      Main office has two ISPs, primary and backup, each with a separate WAN IP. VPN tunnel from remote office to the primary WAN IP. If primary ISP goes down, dynamic routing sends traffic out backup line. I need to be able to configure a backup Remote Gateway on the remote office UTM, so that if it can't establish a tunnel to the primary main office WAN IP, it will try to establish the tunnel to the backup WAN IP. (Very simple and do it all the time on Cisco ASAs).

      6 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
      • change the ssl vpn client to include auto connect.

        I have several larger clients who would like to use the SSL vpn except they require the VPN tunnel to always be "always on" as long as there is internet access. Other vpn vendors such as Cisco permits this behavior.

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
        • Server Load Balancing: Choose HTTP Response codes for failed servers other than 5xx (for ex. 404!)

          By now only 5xx HTTP Response codes tell the SLB to disable a real servers (a failed one) and 200 for OK. We want to be able to determine our own HTTP Response Code to disable real servers like 404. This makes it way easier for an admin since he only has to check for a simple empty file - if its there -> 200 (up), if not -> 404 (down). We use this also with HAProxy and it works great.

          16 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Multi-user device

            If a user logs on to a PC, and authenticates on the UTM using browser portal, and then logs off. Before their session expires, another user logs on to the same machine...and browses as the first user!

            Other than shortening the session timer (which isn't a solution since it would force users to re-authenticate over and over) there doesn't seem to be any way to solve this.

            Or, another scenario would be a terminal server. Same problem.

            What checkpoint does is to provide a multi-user agent. Source ports for browsing is different range for each user.

            Otherwise a pretty solid…

            2 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Wildcard support for antispam's sender blacklist & excepted email addresses

              Under "EMAIL PROTECTION > SMTP > ANTISPAM > SPAMFILTER"
              you are able to block email senders by adding their domain. You are also able to use wildcards i.e. "*@domain.com".

              Same you can do under "EMAIL PROTECTION > SMTP > EXPEPTIONS" to add a sender's email address to except him from specific rules (HELO, Antispam, etc.) buy using the same format and wildcards i.e. "*@domain.com".

              Unfortunately I get more and more spam emails from the same domain which uses A TON of subdomains i.e. the following (german) spam site:

              *@elektronik.de-at-ch.com
              *@rasierklingen.de-at-ch.com
              *@versicherung.de-at-ch.com
              *@mobil.de-at-ch.com
              *@reisen.de-at-ch.com

              The same applies to whitelist pages i.e.…

              8 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Web Filter: Bypass user can only bypass certain categories

                Is it possible to define the categories that can or cannot be bypassed rather than all or nothing. This would be useful for schools/colleges who would like to enable students to bypass particular categories with a staff provided code.

                4 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • usability improvement : improve labels

                  Improve information labels in the local console : "virus data date" is not concerning virus identities but update date of the detection engine.
                  Translations are also concerned by that. May be the network console too.

                  7 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • RED device with integrated wifi

                    Why not integrate wifi into the RED? Just adds to its simplicity.

                    18 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
                    • IEEE 802.1X authentication on RED devices

                      It would be great if you could define MAC-based authentication on the RED devices with 802.1X and a RADIUS server to ensure that just our own notebooks and phones on the remote locations can enter our company network. Foreign MAC-adresses should not be authenticated and blocked.

                      12 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Remote Ethernet Device (RED)  ·  Flag idea as inappropriate…  ·  Admin →
                      • network order interface in VMware

                        when you have a lot of network interface in a sophos VM under VMware the network configuration file (vmx) the order on vmware do not match the sophos network order. you have to match the mac adress between UTM and VMware or to edite the /etc/udev/rules.d/70-persistant-net.rule file. could you please let the customer renumber the ethX under webmin.

                        6 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Networking  ·  Flag idea as inappropriate…  ·  Admin →
                        • SUM as add-on for Synology NAS.

                          I would like to run Sophos UTM Manager (SUM) as a Plug-In on Synology NAS in order to get a simple and flexible solution and at the same time reduce additional hardware.

                          10 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add Dropcam traffic to Application Control

                            Dropcam is a WIFI camera by a company called Nest. Nest creates the Nest thermostat, and the Nest Protect smoke alarms.
                            Here is a link to what Dropcam is: https://www.dropcam.com/

                            Sophos UTM shows Dropcam traffic as "OpenVPN" using TCP 443
                            It would be helpful if we could see this traffic as Dropcam traffic

                            7 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              2 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
                            • Provide ability to configure de-authorization timeout on wireless.

                              We have recently run into an issue with out older Spectrum barcode scanning guns when deploying Wireless APs. On the old APs, we were able to configure the de-authorization timeout value and set it to a high enough threshold to keep the guns active even when idle for a short time. This is not configurable on the Sophos APs and devices are becoming de-authorized in too short of a time, less than 60 seconds when no active.

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • kl

                                Generate an email alert for high CPU and RAM usage

                                It would be nice to be alerted via email (or other methods) when the CPU usage or CPU usage of the Sophos appliance gets above a certain threshold. We have had issues where our customers suffer from slow internet speeds that are caused by high device utilization. It would be nice to be alerted to this.

                                3 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Reporting  ·  Flag idea as inappropriate…  ·  Admin →
                                • IKEv2 support

                                  We would like to see IKEv2 support so that we can connect to Azure.

                                  Otherwise this will be a deal breaker and we will be forced to use other appliances very soon.

                                  6 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Users are able to login via SSL VPN (when password expired for example weekend) without any IT intervention.

                                    This is very important, because many company use this type of password policy and in this from of SSL VPN is usable. For example, at the weekend there aren’t AD sysadmin at many company so in this time, when password expired the users unable to login via SSL VPN.

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Agentless authentication

                                      Hello, is it plan to implement something like agentless authentication of clients computers? For example- Some agent service in active directory supervising the kerbos tickets and by this way using them in group or user based firewall rules?
                                      THX a lot for answer

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                      • By adding an option to mark as spam emails with no “From” field, this gives the administrator more control over blocking such emails.

                                        How will this new feature address your business requirements?: By adding an option to mark as spam emails with no “From” field, this gives the administrator more control over blocking such emails. At the moment, blank From fields
                                        are getting through the Pure Message Filter. It would also be valuable for Pure Message to display machines sending emails out as this would identify machines on the network with a potential problem.

                                        How would you rate the importance of this feature?; 1 = Critical, 5 = Nice-to-have: 1 – If someone crafts an email with no From field, linking to malware…

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                        • SMTP Proxy MIME delivery status notifications

                                          Currently, the Sophos UTM OS does not support RFC 3462 MIME-type delivery status notifications. This causes issues for when Outlook clients recieve non-RFC bouncebacks from the UTM as they will not treat it as a delivery status notification, but reather as a new email and apply any inbox rules. This can lead to bounceback storms.

                                          Additionally, in an Exchange environment, bouncebacks are intercepted and reformatted for easier user readibility.

                                          5 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base