Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Add the ability to limit number of hours on a application or application group

    The ever increasing demand for our users to have access to you tube, social media or even gaming sites (during lunch hour, hopefully) creates an administrative burden and HR nightmare for many employers. I would suggest that having the ability to limit the number of hours spent by a user or dept on a weekly or monthly basis would be an invaluable tool. This way you can create what is deemed an acceptable number of hours based on a users organizational responsibilities and only have to monitor by exception. This would also be applicable in a home setting where a…

    1 vote
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Control  ·  Flag idea as inappropriate…  ·  Admin →
    • WebSecurity: Local Override of Site Classification - SophosLabs awareness

      This new feature os V9.2 is really great.
      a plus could be to integrate a mechanism that upload the "customer's site classification" to Sophos labs this way those re-categorized sites could be include in the sophoslabs's "robot script analysis" in a way to have a more rapid and efficient catgorization of this customer's visited sites.
      usefull for "uncategorized" web sites and "local" (non-english worded) web sites.
      99% of the time if customer recategorize this sites it's because classification is unaccurrate

      2 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Add Report for ChangeLog entries

        I would like to vote for a report that can be send out once a week that displays the ChangeLog entries so that you can monitor the changes made and send them out to some business devision to become some how compliant to auditing requirements.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
        • Display Current Time/Date on Up2Date Screen

          I often find when I schedule a UTM to update its firmware, that I'm having to bounce back to the dashboard to ensure that the time/date of the UTM is correct, I never take this for granted. So my idea is to simply put the system date/time at least on the Up2Date screen, if not just at the top of the screen in general.

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Management  ·  Flag idea as inappropriate…  ·  Admin →
          • Private PSK

            Aerohive has what they call "private PSK" that allows a single SSID to serve many users each with their own psk. Each can be assigned different security from temporary day users with limited access to full access workers.

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • DHCP Relay Load Balancing

              The DHCP relay feature allows the use of an availability group which can have one or more DHCP servers defined. The issue is the second server listed would never get a request unless the first one fails.

              Starting with Windows 2012 R2 the DHCP service supports failover/load balanced scopes without the need for complex clustering technologies. Basically the servers have a copy of the scope each and have a defined percentage which they can issue. Plus they monitor each other for taking over the scope if the partner was to fail.

              Now we would like to use the load balancing…

              10 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • SPX Encryption > Detect "SPX password for" messages that are forwarded by users to be blocked.

                Current 9.200-11 does not detect if a user attempts to Forward the SPX password notification e-mail to the outside receiver. So the "Data Protection Configuration" setting of "On match, notify" is pretty worthless when you select "User" as they can simply forward the notice to the receiver.

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Email Encryption > Methodology similar to Cisco Registered Envelope Service

                  With a Cisco IronPort you have the ability to define Content Filters which then will trigger different levels of encryption requirements.
                  Example: Detects Value > Check for TLS Receiver > If found, Use TLS > If not TLS then use Cisco Registered Envelope Service (RES).
                  This provides you with a way to ensure the communication is encrypted and provides a third-party login/verification system for the end-user to be able to decrypt the e-mail if their server was not setup with TLS Encryption.
                  Along those ideas you can define rules that any e-mails meeting a requirement must use Cisco RES only.

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Ability to not allow management via "additional IPs"

                    Ability to not allow management via "additional IPs". I add an additional WAN IP to the outside interface and I want to prevent mgmt on that IP. Have the choice to only allow mgmt on the original IP assigned to the interface.

                    2 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                    • AP MAC pick list

                      Recently we added an AP to a customers Sophos UTM 120. When it came to Whitelisting MAC address (Wireless Protection> Wireless Networks> Edit the AP> Advanced) we were presented with the "Please select" in the MAC Addresses field in the AP Edit interface Advanced window.
                      The wireless laptops were confirmed as having connected to the AP and had their respective MAC Address appear in the Wireless Protection > Wireless Clients list.
                      With help from Zak (Sophos support) we were informed we had to manually add the MAC addresses to the Definitions & Users > Network Definitions > MAC Address Definitions…

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • Make the IPS rules CVE/Mitre compatible

                        Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

                        http://cve.mitre.org/compatible/compatible.html

                        1 vote
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Prevent WebAdmin on additional IP address.

                          When an additional address is added to an external interface, the UTM can be managed through WebAdmin over port 4444 on that additional address. I would like to see a check box when adding the new addtional IP address that asks if you'd like to be able to manage over this IP or not.
                          The additional IP is usually for a NAT, say for instance a NAT for my exchange server. It doesn't make sense to me that https://ip-of-exchange-server:4444 allows someone to manage the firewall.

                          3 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • WPA2 Enterprise can Authenticate/Authorize Local Users

                            I've run into a situation on several occasions where WPA2 Enterprise could also use local users/groups for authentication/authorization.

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Wireless Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • HTML5 VPN - using RDP, local dirves and printer needed !!!

                              If using html5 vpn portal via rdp protokol, user need local drives and local printer at win- terminal server!!! like possible in standard windows rdp sessions ....

                              10 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                              • Convert mail body from HTML to plain text by rule

                                Allow mail to be converted to plain text selectable by common filtering rules (similar to exceptions) where the incoming/outgoing e-mail address/domain/ip address/etc can be used to choose when the email is considered the content may be safe, but links, images, and other rich content would show the HTML code rather than the objects themselves.

                                This would add additional safety for e-mail addresses that are used receive mail and automatically process them and also to further reduce risks where warranted. This should be implemented on UTMs with Mail support as well.

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • agent less NAC solution as a NAC Subscription

                                  agent less NAC solution - as UTM we have the asset list and MAC details -
                                  implementing agent less NAC solution we can integrate with the Sophos endpoint as vulnerability assessments, patch management using the Sophos Endpoint advance Suite

                                  agent less NAC - Like Netclarity or ForeScout

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Network Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Complete visibility of evasive applications

                                    Content upload via - web mail, Social networking sites, Blogs, Instant Messaging, Web uploads Mail, P2P,Skype, - data protection
                                    count the number of email sent from the clients using the subject - Header. Monitoring IM ,

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Web Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • EndPoint: Change display language based on the OS language

                                      Normally, the display language is based on the settings of the operating system. In the Sophos products the language is oriented to the language of the region setting. This is somewhat unfortunate, since we, for example, use only software with the english language. The location of the operating system is set to a German-speaking country. Thus, the console (Server & Client) appears only in German. It only change the language if I change the Region to an english-speaking country. It would be useful to customize this.

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • outbound smtp antispam scan through firewall rules

                                        outbound smtp antispam scan through firewall rules with out email Security proxy

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Mail Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • 29 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Don't see your idea?

                                          Feedback and Knowledge Base